April 28, 2006 4:07 PM PDT

Security tool aims to stop drive-by installs

Veterans of antispyware specialist PestPatrol have developed a new tool that throws up roadblocks for so-called drive-by installs of malicious code onto vulnerable PCs.

The tool, called SocketShield, monitors Internet traffic as it enters a PC and takes action based on a blacklist of known bad Web sites and vulnerability signatures, Roger Thompson, chief technology officer at Exploit Prevention Labs, said in an interview Friday. "Before you can open a poisoned page and get infected, we can stop it," he said.

Exploit Prevention Labs is a new company, founded by Thompson and Bob Bales, two former executives at PestPatrol, an early antispyware company that CA (formerly Computer Associates International) bought two years ago.

Elsewhere on CNET
Download it
Get SocketShield 0.9.5 and more information at Download.com

SocketShield is aimed at shielding Windows users against what's known as drive-by installs, the surreptitious installation of malicious software as people surf the Web. Cybercrooks often exploit security holes in Windows, Web browsers and other applications in order to drop spyware, adware, Trojan horses, bots and other software onto the computers of unwitting people. Recent examples include the Windows Meta File flaw and the CreateTextRange bug.

The new tool can provide protection in the time between the publication of a security flaw and the release of a patch by the maker of the flawed software, said Michael Cherry, an analyst at Directions on Microsoft.

"It will always take Microsoft and other software vendors time to patch vulnerabilities," he said. "Having the ability to protect systems while waiting for a patch from the software vendor or while waiting to get the patch distributed would be valuable."

The SocketShield client software is updated continuously with information on known bad Web sites and vulnerability signatures. The vulnerability signature approach is similar to antivirus software; SocketShield checks potentially malicious Web sites against a database of known security exploits.

SocketShield is designed to work alongside other security applications such as antivirus, antispyware and firewall software, Thompson said. "We are providing something they are not," he said. "We're another layer of protection and have done a huge amount of work to make sure we're compatible."

While SocketShield may look a lot like standard intrusion prevention software, it is not, Thompson said. Instead, it is task-focused security software, he said. "Intrusion prevention software tries to be all things to all people and detect things generically so you don't have to patch," he said. "I reckon that is wrong-headed."

A trial, or beta, version of SocketShield for Windows XP, Windows 2000 and Windows 2003 is available at no cost. Exploit Prevention Labs plans to launch a first official version of the tool in early June. That version will cost $29.95 per year. Volume discounts are available. The company also plans to license its technology to third parties.

See more CNET content tagged:
intrusion prevention, PestPatrol, security tool, anti-spyware, patch

5 comments

Join the conversation!
Add your comment
CNet double-speak
I find it interesting reading a story about drive-by installs, and while reading it, CNet pops up a flash thing that scrolls across the screen asking me to click on it!!!
Posted by andyross (15 comments )
Reply Link Flag
Cool, but..
I think it's an interesting idea, but I don't completely understand how it works. He says:

"Before you can open a poisoned page and get infected, we can stop it,"

So it is like the Google Download Accelerator that pre-loads linked pages while you read? and check the page for threats?
______________________________
R.K.
<a class="jive-link-external" href="http://www.Remove-All-Spyware.com" target="_newWindow">http://www.Remove-All-Spyware.com</a>
Posted by Roman12 (214 comments )
Reply Link Flag
Does this make any sense?
I am a mac and windows XP Pro user. In both environments, I
surf only in LIMITED PRIVILEGE accounts (ie, non-administrative
mode). That means whatever tries to infect me, cannot, because
it lacks the privileges to install anything. Antivirus and other
security tools such as this latest one work under the premise of
trying to find and evict criminals from your house after they get
in, because all your doors are unlocked. The way I surf, it's
more like keeping the doors locked so they can't get in in the
first place. I don't run any security software, but I do have
software and hardware firewalls (those tools operate under the
"locked doors" usage model). I have never been infected with
even one trojan, virus, spyware, or popup ad, and I've been
using the internet since its inception!
The only possible vulnerability I had was malware based on the
buffer overflow exploit, but the latest cpu's from Intel and AMD
include the "nonexecute" feature, which closes that vulnerability.
Posted by cubicleslave1 (27 comments )
Reply Link Flag
If I'm not mistaken this network tool is not even detectable .
Finding the expertise needed to protect my registry further from anything less than spyware is everything being spoken in this bioteck read. Certain console settings are not made clear in this article?
I'll bet thirty dollars at Target's music counter that this product is worth owning.
Posted by Pop4 (88 comments )
Reply Link Flag
It's called IDP or DPI and filtering by any other name.
It's not new technology at all. Numerous vendors offer that same protection... but they use standard names such as:

IDP: Intrusion Detection and Prevention
DPI: Deep Packet Inspection

One can filter sites known to be illegal and/or to hold malacious scripts. It works like a Real Time Blacklist updated hourly or daily, or what every they've programmed it to look for recent updates.

One can also look at signatures of viruses, trojans and other spyware by having a realtime updated list of things to watch for and block out to stave off attack attempts to your PC.

Thus it's really old technology... nothing new except for a recent name change.

FWIW
Posted by wbenton (522 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.