Bob Bales and Roger Thompson hit it big with their last venture, antispyware company PestPatrol. Now the two have launched a new company. Their target: drive by downloads and zero day exploits, like the recent Windows Meta File (WMF).
The new company, Exploit Prevention Labs, will launch with a free beta version of the company's first product, SocketShield, which protects computers against exploitation by previously unknown (zero-day) attacks. After helping launch the anti-spyware market almost ten years ago, the two are hoping they can make lightening strike twice, waking up consumers and the security market to a threat that some call "crimeware."
The new company was Thompson's brainchild and grew out of research on worm propagation. "I run this distributed honeypot which I set up to spot when new worms were appearing. As time went on, though, I kept seeing these people get nailed by drive by download and they had no idea how," he says, referring to website-based attacks that use web browser or other application vulnerabilities to push out malicious programs to the systems of people who visit the site. Thompson tweaked his honeypot network to start collecting malicious code distributed by the drive by download sites and was amazed at what he found. "Some of these install script (web pages) had more than a million hits," he says. Unsuspecting surfers usually don't intend to visit the attack websites, which are often light on content and innocuous looking. However, organised online criminal gangs have become masterful at manipulating search engines like Google to steer users to the sites. "Typically these websites have three parts: a business site where they might advertise for affiliates that's completely clean and above board. The "lure websites" that pull in the Googlebots and the exploit servers which serve the malicious code and which they guard carefully and try not to make public at all," he says. SocketShield was developed out of a desire to stop drive by downloads, even when they use an exploit for which no patch has been issued, Thompson says. "I could see the exploits in the TCP/IP stream and figured that if I could see them, I should be able to stop them," says Thompson who previously worked as a director of malicious code research at Computer Associates International. The software monitors browser communications and uses a reputation filter and data from Thompson's database of exploit sites to block traffic from known drive by download sites. Exploit Prevention Labs has also developed a "reverse honeypot" that scans new web domains as they're registered and looks for exploit servers, then adds those sites to the domain block list. Finally, heuristics and signatures of known exploits, developed by human researchers, are also used to TCP/IP traffic that contains attacks, Thompson says. As they did with PestPatrol, which the two started in 2000, then sold to CA in 2004, Thompson and partner Bob Bales hope to strike gold by focusing on an area that major security vendors are overlooking. "We spent two years creating the spyware market ... Anti-spyware was much harder to sell than this," said Bales, who recalled the difficulty of convincing customers not to believe assurances from antivirus vendors that their technology spotted and blocked spyware threats when they didn't. But if "spyware" was a name that consumers and IT buyers could latch on to, Bales and Thompson admit that they're not quite sure how to brand SocketShield's protection. "Risk window protection" is one option, says Bales, who noted the recent conundrum that IT managers were placed in when exploit code for a previously unknown flaw in Windows processing of Windows Metafile (WMF) format files was released on the Internet prior to a patch from Microsoft. "It's another layer of protection. You don't want to have to [use] a third party patch, but what's a user to do?" But catching much larger competitors like CA, Symantec, Trend Micro, McAfee and now Microsoft napping again might be hard. All those companies are well aware of the "risk window" problem and are hard at work at putting zero day protections into their products. At the same time, pure play vendors like Cyveillance, MarkMonitor and Cyota (now part of RSA Security) have pioneered a market in online risk monitoring and management by scrutinizing scam websites and other online criminal activity. As with PestPatrol, which benefited from early partnerships with ZoneLabs and Sunbelt Software, the two are hoping to forge relationships with larger vendors that will promote their product. Zone, which is now part of Check Point Software Technologies, may be the first stop again, says Bales. "It's instant credibility. People thought 'my firewall protects me,' Then Zone started selling PestPatrol alongside its product and it basically said 'you need this, too'."