Bob Bales and Roger Thompson hit it big with their last venture, antispyware company PestPatrol. Now the two have launched a new company. Their target: drive by downloads and zero day exploits, like the recent Windows Meta File (WMF).
The new company, Exploit Prevention Labs, will launch on Monday with a free beta version of the company's first product, SocketShield, which protects computers against exploitation by previously unknown (zero-day) attacks. After helping launch the antispyware market almost ten years ago, the two are hoping they can make lightening strike twice, waking up consumers and the security market to a threat that some call "crimeware."
The new company was Thompson's brainchild and grew out of research on worm propagation.
"I run this distributed honeypot which I set up to spot when new worms were appearing. As time went on, though, I kept seeing these people get nailed by drive by download and they had no idea how," he said, referring to Web site based attacks that use Web browser or other application vulnerabilities to push out malicious programs to the systems of people who visit the site.
Thompson tweaked his honeypot network to start collecting malicious code distributed by the drive by download sites and was amazed at what he found.
"Some of these install script (Web pages) had more than a million hits," he said.
Unsuspecting Web surfers usually don't intend to visit the attack Web sites, which are often light on content and innocuous looking. However, organized online criminal gangs have become masterful at manipulating search engines like Google to steer users to the sites.
"Typically these Web sites have three parts: a business site where they might advertise for (Web site) affiliates that's completely clean and above board, the lure Web sites that pull in the Googlebots, and the exploit servers which serve the malicious cod and which they guard carefully and try not to make public at all," he said.
SocketShield was developed out of a desire to stop drive by downloads, even when they use an exploit for which no patch has been issued, Thompson said.
"I could see the exploits in the TCP/IP (Transmission Control Protocol/Internet Protocol) stream and figured that if I could see them, I should be able to stop them," said Thompson who previously worked as a director of malicious code research at Computer Associates International Inc.
The software monitors Web browser communications and uses a reputation filter and data from Thompson's database of exploit sites to block traffic from known drive by download sites. Exploit Prevention Labs has also developed a "reverse honeypot" that scans new Web domains as they're registered and looks for exploit servers, then adds those sites to the domain block list. Finally, heuristics and signatures of known exploits, developed by human researchers, are also used to TCP/IP traffic that contains attacks, Thompson said.
As they did with PestPatrol, which the two started in 2000, then sold to CA in 2004, Thompson and partner Bob Bales hope to strike gold by focusing on an area that major security vendors are overlooking.
"We spent two years creating the spyware market…Antispyware was much harder to sell than this," said Bales, who recalled the difficulty of convincing customers not to believe assurances from antivirus vendors that their technology spotted and blocked spyware threats when they didn't.
But if "spyware" was a name that consumers and IT buyers could latch on to, Bales and Thompson admit that they're not quite sure how to brand SocketShield's protection.
"Risk window protection" is one option, said Bales, who noted the recent conundrum that IT managers were placed in when exploit code for a previously unknown flaw in Windows processing of Windows Metafile (WMF) format files was released on the Internet prior to a patch from Microsoft.
"It's another layer of protection. You don't want to have to (use) a third party patch, but what's a user to do?"
But catching much larger competitors like CA, Symantec, Trend Micro, McAfee and now Microsoft napping again might be hard. All those companies are well aware of the "risk window" problem and are hard at work at putting zero day protections into their products. At the same time, pure play vendors like Cyveillance, MarkMonitor and Cyota (now part of RSA Security) have pioneered a market in online risk monitoring and management by scrutinizing scam Web sites and other online criminal activity.
But with big antivirus vendors focused on what Microsoft to do next, startups like Exploit Prevention Labs may be able to carve out a niche with zero-day protection as with spyware, said Richard Stiennon, chief research analyst at ITHarvest, in Birmingham, Michigan.
Zero-day attacks like those using the Windows WMF exploit code create a niche opportunity, because larger vendors have become accustomed to scrambling to cover customers with signatures when new threats arise, Stiennon said.
As with PestPatrol, which benefited from early partnerships with ZoneLabs and Sunbelt Software, the two are hoping to forge relationships with larger vendors that will promote their product.
Zone, which is now part of Check Point Software Technologies Ltd., may be the first stop again, said Bales.
"It's instant credibility. People thought 'My firewall protects me,' Then Zone started selling PestPatrol alongside its product and it basically said 'You need this, too.'"
A beta of SocketShield is available from Exploit Prevention Labs' Web site. When it is commercially released, the product will sell for $29.95, with discounts for large purchases.