SocketShield / protection against zero-day exploits

Hey Smokey,

Thanks for the kind thoughts. We think it's got some potential too.

We tested it pretty hard, and don't know about too many problems, so I'd like to try to fix yours too.

What OS are you running? What av and antispy are you running? What firewall?

If you don't want to answer on list, please feel free to contact me directly.

rthompson@explabs.com.

Thanks in advance

Roger

 

Hi Eldar,

At first guess, I'd say a conflict with SpySweeper caused some problem. We've tested lots with SpySweeper, but it might easily depend on what's been selected.

However... we do install an LSP driver, so it's quite possible for any antispy to think it's under attack, and thus cause some conflicts.

Sorry you had to re-image. We'll check it out some more.

Roger

 

No. According to this article:

 

No, it's not just a bad URL blocker. The LSP driver actually looks for exploits and kills them on the TCPIP stream, no matter which website it's coming from.

Actually, we don't block by URL, but by the IP address that it resolves to. When we know a server throws exploits, it makes sense to flat out block it.

We're not even saying we're always 100%... there'll always be ways to get past us... but my position is that _most_ of the time, the exploit code and shell code is simply cut and pasted, and just the payload (the program it delivers) is changed, and you can stop an awful lot of it without too much effort, and you can provide cover for people _until_ they can patch.

If you look at the WMF exploit from December as an example, within a few days of its release, there were arguably 3000 websites that we knew about serving WMFs, and no patch from Microsoft, and yet the exploits were all really similar.... a simple scan and kill took care of them all.

Cheers

Roger

 

Nah... we _want_ to release in June, but it's completely dependant on how well the beta goes. We're in no hurry. Software is ready when it's ready.

Our _biggest_ problem is the various anti virus and anti spy programs that think they're under attack.



Roger

 

Nevertheless, it's as negligible as it gets. There's no appreciable difference in overall CPU usage with or without it. There doesn't seem to be a device driver like with a lot of the other security apps around here, though.

 

How did you measure "overall CPU usage"?

Of course it wouldn't use a device driver. It isn't a device.

 

So you've used it and found it to put a strain on your system?

 

I installed SocketShield on a virtual machine running XP Pro, unpatched with no service packs, also running Spy Sweeper, Sygate free firewall, WinPatrol and CounterSpy. The vm has 384 MB RAM. I didn't have any conflicts or problems at all.

I went to some websites known for running exploits and sure enough, SocketShield stopped them.

I wrote a review and included some screenshots showing it stopped the exploits in my blog at ZDnet.

http://blogs.zdnet.com/Spyware/?p=816

 

Hi Suzi! Ur first post, just after joining, and on a very new software with a well sopporting post-- makes me to think something!... may be I am wrong anyhow.
Welcome to Wilders!
I also wonder y u run Spysweeper and Counterspy together? What about ur AV?
Can u please tell us the details of these sites and exploits!
Edit: have not still read ur blog.

 

Hi Suzi & welcome to Wilders,
Good to see you again.
Hope everything going smooth at Spyware Warrior forum.

Nice to hear you didn't run into trouble like me.
Great review you've made there.
I'm sure I'll give it another shot when it's out of beta.
See you around.

 

Aigle and Eldar,

Thanks for the warm welcome.

Aigle, yes, you can run Spy Sweeper and CounterSpy on the same machine, no problems. I've never heard of any problems, at least. I don't have an anti-virus on the virtual machine, but from what I read SocketShield does not conflict with AV apps. I wouldn't hesitate to try it. The answer to your questions about the sites and exploits is in my blog post.

Eldar, thanks for the kind words. I always try out something new on a virtual machine first and in this case I wanted to test it against live exploits, which I'd wouldn't do on my real machine.

Best,

Suzi

 

Looked at some of the info available on the site, and well... sorry but, yawn.

How does this "protect from 0-day exploits"? You don't find "0-day exploits" through signatures like this program does, you can only prevent 0-day exploits by hardening a system.

The WMF vulnerability was a 0-day because it was actively being used by crackers before it was actually known in the computer security professionals world.

I see on their site:

Rubbish. 0-days exploits are not "announced before and then start being used in the real world". They are announced because they are being actively used in the real world. They could have been in circulation for weeks before they're even public knowledge.

This could well be a good protection product. But the "0-day" stuff is quite misleading.

 

TNT, where this program's zero day exploit protection will be useful is in a case like the WMF exploit. The WMF exploit was announced on Dec. 27 or 28 as I recall, and it had already been in use for at least a few days because I know someone who got hit with it on Christmas day.

How long did it take Microsoft to release a patch? I belive it was January 4, someone correct me if I'm wrong.

The exploit code was publicly available for at about a week before the MS patch was released. And the malware pushers were jumping on the bandwagon quickly -- people were getting infected because of the WMF exploit. One tactic malware pushers are using is to hack normal websites and use them for running exploits, like in this case, and for phishing. I've lost count of the hacked websites I've seen in the last month.

If SocketShield had been available then, it could have stopped lot of people from getting hit with the WMF exploit before Microsoft issued the patch.

How long did it take MS to release the patch for the CreateTextRange exploit? The exploit code for that one was published on the web, too. It was announced on March 23 and the patch was released on the next regular patch day, which was April 11.

I don't work for the company or anything -- I just think a lot of people don't really get the significance of having an app to protect from expoits, especially zero day exploits when the exploit code has been made public, but no patch from Microsoft is available yet.

 

As I unerstand, SS is the signature-based tool if it removes malware from the net stream. So it can not be accepted as the real 0-day attacks protection (as an AV's, for instance). There are sandbox HIPS for that and for all the browser/e-mail/P2P -based malware (known and unknown).

 

Hi Suzi, I am sorry that part of my post was wrong as I did not know u and did not read the blog. I will take back my words.
BTW, both antispywares u run in real time, still I will not do it unless for testing and comparing the two. Anyhow it,s ur job and u know better than me.
Thanks

 

Thanks for the feedback Notok and rogert30062. But I still don´t see how this solution differs from other anti-malware tools who scan websites for exploits in realtime. And how will this tool protect you from zero day malware? Isn´t that the real challenge nowadays?

And btw @ Suzi, I went to the test sites (on my virtual machine) but the sites did not work, are they offline at the moment? And since you seem to have access to these exploit sites, perhaps you can also test other anti malware tools to see how they perform?

 

Hi Rasheed,

You wrote ...

>But I still don´t see how this solution differs from other anti-malware tools >who scan websites for exploits in realtime.

Which tools?

>And how will this tool protect you from zero day malware? Isn´t that the >real challenge nowadays?

By 0-day malware, if you mean 0-day viruses and trojans, it's not meant to protect you from that... that's what anti virus and anti spy software is for.

SocketShield is not meant to compete with or replace any av or as... it's meant to be another layer of protection until you can patch.

The problem is this....

All software has vulnerabilities, and when an exploit is found, at some point you have to patch. Until you can patch, there is a Risk Window.

However, sometimes a patch is not available, and sometimes a patch is available but you can't use it for some other reason (for example, if you've got 10,000 pcs, you can't patch every month) In those cases, the risk window is really big, and it sucks.

Now, if the exploit is being used, as was the case with WMF and CreateTextRange, SocketShield is able to provide a way to kill the exploits on the stream, before it even reaches the application it is targetting.

The point is that exploits are mostly re-used by simply cutting and pasting and changing the payload (the file it delivers), so often, a single sig for the exploit catches all the websites using it, no matter how many different trojans and backdoors are plugged into it.

Another point is not all exploits are created equal... there are hundreds announced each month, and yet only two or three are actually used, but the ones that _are_ used are _widely_ used, and are really important. Nearly all of them deliver rootkits, btw.

A large part of what we do is figure out which are the important ones (the ones actually being used), and we do this with our backend intelligence network.

We're _not_ saying we're perfect or unbeatable.... what we're saying is that a large amount of problems can be solved with a small amount of effort if you
know which are the important problems.

Roger

 

Hi TNT,

You wrote ...
>How does this "protect from 0-day exploits"? You don't find "0-day exploits" >through signatures like this program does, you can only prevent 0-day >exploits by hardening a system.

Actually, you can also protect against 0-day exploits by blocking the IP address of the server, which is something we do when we think a server address is static.

We block by exploit and we block by blacklist IP. To get past us, it needs to be a new exploit _and_ a new server. That's absolutely possible, but as soon as we find either one (the exploit or a server), we'll add it, and everyone will be automatically updated within a few minutes. So yes, some folks might get nailed, but most will be safe.

By the way, _if_ the exploit is based around something that has been announced in the different security lists, chances are we'll have added that prior to it being used In The Wild.

>This could well be a good protection product. But the "0-day" stuff is quite >misleading.

Well, we don't mean to be misleading. It's always hard to convey all aspects of meanings in a few words... there are always exceptions. For example, there are at least two definitions of 0-day exploit... a strict security based one, and one that most of the public probably accepts, which is "Something bad for which there is no patch, and it remains a 0-day until there's a patch, even if it's a month old."

Cheers

Roger

 

It takes out the exploit that causes the silent install of malware, rather than the malware itself. By tackling the exploit before they get a chance to use it, you can head off 0day attacks.

 

Aigle, No need to apologize. No problem at all.

 

@ rogert30062

First of all, can you please use the quoting system in the future (maybe you can edit your posts), because it´s a bit hard to read your posts at the moment.

I´m talking about tools like Kaspersky AV and other AV´s with http scanning. Isn´t the concept about the same? If KAV and other tools recognize malware they will block access to your system. Can SocketShield (SS) be compared to these tools?

But I now understand that it´s not meant to protect against zero day malware, it´s more a protection tool that will try to protect you against the newest (known) exploits (targetting unpatched holes). I guess it´s a nice tool especially because it does not seem to be heavy on resources, but is it worth the bucks? I´m not sure about that if I´m hounest.

 

Suzi, any comments?

 

Hi, folks. I have d/l and tried it for three days. It seems functioning very well within current system(KAV 6,outpost 3.51,ewido 4). However, I still have one little puzzle needed to be sovled. This so-called prevention of zero day attack, when does it commence to protect you? the moment your window startup(24/7 dsl connection) or the time you acturally logon internet and surf ? This app DOES NOT start with window starup for the FACT.(because I could not find the OPTION) and has to be initiated manually. Strange indeed. Any one can solve this puzzle? Thanks.

 

Hi Rasheed,

I think Suzi's blog only showed the IP address of someof the exploiters. I expect she gave the warning about going there to keep the unwary safe because sometimes just going to the IP address _might_ trigger something, but _mostly_ the exploiters are too cunning for that.

Generally, the only people who come directly to their servers are people like me hunting for them, or googlebots and spiders trying to index them, so they don't generally trigger that way. Instead, you have to do something like ... find the exact URL, including sub directories, or find some of their lure sites and come in from there.

Cheers

Roger