Unsuspecting Web surfers usually don't intend to visit the attack Web sites, which are often light on content and innocuous looking. However, organized online criminal gangs have become masterful at manipulating search engines like Google to steer users to the sites.

"Typically these Web sites have three parts: a business site where they might advertise for (Web site) affiliates that's completely clean and above board, the lure Web sites that pull in the Googlebots, and the exploit servers which serve the malicious cod and which they guard carefully and try not to make public at all," he said.

SocketShield was developed out of a desire to stop drive by downloads, even when they use an exploit for which no patch has been issued, Thompson said.

"I could see the exploits in the TCP/IP (Transmission Control Protocol/Internet Protocol) stream and figured that if I could see them, I should be able to stop them," said Thompson who previously worked as a director of malicious code research at Computer Associates International Inc.

The software monitors Web browser communications and uses a reputation filter and data from Thompson's database of exploit sites to block traffic from known drive by download sites. Exploit Prevention Labs has also developed a "reverse honeypot" that scans new Web domains as they're registered and looks for exploit servers, then adds those sites to the domain block list. Finally, heuristics and signatures of known exploits, developed by human researchers, are also used to TCP/IP traffic that contains attacks, Thompson said.