LinkScanner Resource Center

Exploits: What They Are, and How You Can Protect Yourself

When we first proposed a different kind of solution to the problem of zero-day exploits, there were many questions about why zero-day exploits needed to be treated differently than "regular" viruses, worms, and spyware. We've collected some of the more common questions, and their answers, here.

1. What is an exploit?
2. What is a software vulnerability?
3. How are exploits distributed?
4. I don't visit strange sites or pornographic sites, so how would I be affected?
5. What makes exploits different from spyware, adware, and other malware?
6. What happens with a typical crimeware exploit?
7. Won't my anti-spyware and/or my anti-virus protect me against these exploits?
8. Why does it take Microsoft and other software vendors so long to issue a patch?
9. How does LinkScanner Pro protect me against exploits?
10. If my anti-virus and anti-spyware can't find and stop these exploits, how can LinkScanner Pro?
11. What are the system requirements for LinkScanner Pro?
12. Will LinkScanner Pro slow down my computer?

1. What is an exploit?
An exploit is a piece of malware code that takes advantage of a newly-announced or otherwise unpatched vulnerability in a software application, usually the operating system, a web browser or a program that routinely activates through a web browser (PDF reader, media player, or other 'plug-in'). A zero-day exploit is an exploit that takes advantage of a vulnerability on the same day that the vulnerability is announced. Exploits usually get onto users' machines by means of a drive-by download – the user has no idea that a download has even taken place.

Exploits frequently take the form of crimeware, a relatively new type of malware whose primary purpose is to extort money or other assets with a portable value from computer users to the benefit of a third-party. As such, they are most valuable to their purveyors during the risk window, the time period between the announcement of a vulnerability and the provision of a fix by the vendor. However, exploits usually continue to be distributed after the fix has been issued because not all machines get patched in a timely fashion, if at all. Considering that risk windows average 56 days in length, it's easy to see how some machines might remain vulnerable for many months, even years.

2. What is a software vulnerability?
Software applications, such as the Microsoft operating system or your web browser, are complex feats of engineering, often with millions of lines of programming code. Inevitably, errors creep into the code, and some of these errors create security vulnerabilities that malefactors can take advantage of with exploits and other malware. Ironically, the people behind these exploits subvert one of software's most useful attributes – its ability to interact with other software programs – to their own ends.

3. How are exploits distributed?
Exploits are usually distributed through a network of Internet-connected computers. The originator of the exploit will place the code on a server with the sole purpose of distributing that exploit as widely as possible as quickly as possible. To facilitate this, the exploit originator recruits a network of exploit distributors; these distributors enable the drive-by downloads under the guise of an innocent-seeming page and are often paid a commission for each download they deliver.

TOP

4. I don't visit strange sites or pornographic sites, so how would I be affected?
The websites you know and trust can become infected with crimeware exploits without the knowledge of the website owner. Simply by visiting the site, your computer can become infected too.

5. What makes exploits different from spyware, adware, and other malware?
Most computer viruses are written by thrill-seekers who measure their success as a virus writer by the number of machines they're able to infect, and the overall havoc they're able to wreak. There's typically no profit in virus writing. Spyware, adware, viruses, and worms don't generally have a very specific purpose – they are indiscriminate pests. Exploits, on the other hand, are targeted at very specific vulnerabilities and often have very specific purposes – extortion, identity theft, etc.

6. What happens with a typical crimeware exploit?
Typically, a crimeware exploit will install a rootkit along with a package of spyware, adware, and other malware applications when you visit a site that has been set up, accidentally or deliberately, as an exploit distribution site. Aside from some hard disk activity, you probably won't know that anything has happened, until odd pop-ups start appearing. Those pop-ups may ask you to install some software, tell you there's a problem with your system, or even ask you for money.

TOP

7. Won't my anti-spyware and/or my anti-virus protect me against these exploits?
In a few cases, yes, they will – but only after the exploit has already landed on your PC, installed its collection of malware, and started to cause problems. Anti-spyware and anti-virus companies need time to produce a new signature, and by the time the signature is distributed to users, the damage has been done. And rootkits are very, very, tough to remove safely, even for the most advanced anti-spyware and anti-virus products.

Rootkits are sets of software tools intended to conceal running processes, files or system data, so they are specifically intended to be evasive; they help intruders maintain access to a system without the user's knowledge, often via some kind of 'back door' into the system.

8. Why does it take Microsoft and other software vendors so long to issue a patch?
Vendors of popular software, like Microsoft, must thoroughly test the patch to ensure that it works, and that it doesn't cause other conflicts within the program. This usually takes around two months, but can take up to six. A hastily-issued patch that hasn't been tested could cause as much or more damage to your computer than a crimeware exploit that takes advantage of the vulnerability. As a user, that puts you between a rock and a hard place.

9. How does LinkScanner Pro protect me against exploits?
A socket, in the context of Internet security, is the standard application programming interface (API) for sending and receiving data across the Internet, making it the point of entry into your system for any downloaded code. LinkScanner Pro is a software program that protects computers during the vulnerability window by monitoring socket-level traffic for exploits and closing the socket when an exploit is detected so that it cannot enter your PC.

TOP

10. If my anti-virus and anti-spyware can't find and stop these exploits, how can LinkScanner Pro?
LinkScanner Pro gathers information about exploits through the research of Exploit Prevention Labs, which deploys a combination of patent-pending research techniques:

• The Exploit Intelligence Network is an extended network of human researchers and automated probes, honeypots, and search bots focused on discovering new vulnerabilities and exploit examples.
• The Reputation Filter is proprietary technology that creates a filter for known and suspected exploit distributor sites.
• The Community Intelligence Network is the community of LinkScanner Pro users who allow information about attempted exploitation of their computers to be transferred to Exploit Prevention Labs as part of the Security Service.
• The Correlation Engine aggregates the intelligence gathered from the above sources, assembles it in real time and distributes it back to the LinkScanner Pro user community

Using this approach, within minutes of a discovery of an exploit, all LinkScanner Pro users are protected.

11. What are the system requirements for LinkScanner Pro?
Pentium 1.2 GHz or higher; 256 MB RAM; Microsoft Windows 2000, Windows XP Home and XP Professional.

12. Will LinkScanner Pro slow down my computer?
It's very unlikely, because the monitoring is happening at such a low level on the machine. LinkScanner Pro users have not reported any performance degradation on broadband connections.

TOP