Antispyware vets launch anti-0day startup

Bob Bales and Roger Thompson hit it big with their last venture, antispyware company PestPatrol. Now the two have launched a new company. Their target: drive by downloads and zero day exploits, like the recent Windows Meta File (WMF).

The new company, Exploit Prevention Labs, will launch on Monday with a free beta version of the company's first product, SocketShield, which protects computers against exploitation by previously unknown (zero-day) attacks. After helping launch the antispyware market almost ten years ago, the two are hoping they can make lightening strike twice, waking up consumers and the security market to a threat that some call "crimeware."

The new company was Thompson's brainchild and grew out of research on worm propagation.

"I run this distributed honeypot which I set up to spot when new worms were appearing. As time went on, though, I kept seeing these people get nailed by drive by download and they had no idea how," he said, referring to Web site based attacks that use Web browser or other application vulnerabilities to push out malicious programs to the systems of people who visit the site.

Thompson tweaked his honeypot network to start collecting malicious code distributed by the drive by download sites and was amazed at what he found.

"Some of these install script (Web pages) had more than a million hits," he said.

Unsuspecting Web surfers usually don't intend to visit the attack Web sites, which are often light on content and innocuous looking. However, organized online criminal gangs have become masterful at manipulating search engines like Google to steer users to the sites.

"Typically these Web sites have three parts: a business site where they might advertise for (Web site) affiliates that's completely clean and above board, the lure Web sites that pull in the Googlebots, and the exploit servers which serve the malicious cod and which they guard carefully and try not to make public at all," he said.

SocketShield was developed out of a desire to stop drive by downloads, even when they use an exploit for which no patch has been issued, Thompson said.

"I could see the exploits in the TCP/IP (Transmission Control Protocol/Internet Protocol) stream  and figured that if I could see them, I should be able to stop them," said Thompson who previously worked as a director of malicious code research at Computer Associates International Inc.

The software monitors Web browser communications and uses a reputation filter and data from Thompson's database of exploit sites to block traffic from known drive by download sites. Exploit Prevention Labs has also developed a "reverse honeypot" that scans new Web domains as they're registered and looks for exploit servers, then adds those sites to the domain block list. Finally, heuristics and signatures of known exploits, developed by human researchers, are also used to TCP/IP traffic that contains attacks, Thompson said.

As they did with PestPatrol, which the two started in 2000, then sold to CA in 2004, Thompson and partner Bob Bales hope to strike gold by focusing on an area that major security vendors are overlooking.