Finjan's launch of its new Surfingate and Surfinguard computer protection programs may seem like just another knee-jerk reaction to the virus and Trojan horse mania that has swept the computer industry in the past year or so. But, according to the Israeli-US company, the need for such products is increasing as the threat of unauthorised malicious software grows.
An increasing number of news reports have appeared over the past 12-18 months concerning programs that can install themselves on your PC and gain covert control of its functions.
David Kroll, director of product marketing for Finjan, explains that the Surfingate product sits on the server and is designed to filter out suspicious Web content that may be sent to corporate users in the form of Java applets and ActiveX controls.
"The gateway handles content scanning, checking the code and looking for actions that the applet will take," he says. "It will block any applet that violates a security policy, so if it attempts to open a network connection or do something malicious, the software will block the applet. It's done in real-time."
The Surfinguard product, which has just been made available for free in a restricted function version (with no option for policy settings) at the Finjan Web site, is designed for the desktop user. It has been designed for home workers, concerned consumers and corporate employees who travel with laptops or work remotely.
Surfinguard enables users to run executable files in a sand box environment, checking for suspicious activity. According to Finjan literature, this is becoming increasingly important due to the rise of Trojan horse programs that disguise themselves in supposedly benign programs.
But how much of a threat do such programs pose? A very large one, according to Roger Thompson, technical director of malicious code research at ICSA.net.
www.ICSA.net is a US-based consultancy affiliated with GartnerGroup that specialises in advising companies about potential security risks. While some malicious Java applets have been written for demonstration purposes, Java's reliance on the secure Java Virtual Machine (JVM) environment means it is pretty safe. However, this is not true of all active content.
"ActiveX is deadly dangerous, because it is more powerful and usable." that is Thompson's verdict on Microsoft's downloadable Web-based component technology. "If these controls are enabled, someone owns your machine. They can read the registry and write to it, for example."
The horror stories are enough to send chills down any IT manager's spine. Many Trojan horses and viruses are now capable of forwarding information from your machine by e-mail. This can cause considerable embarrassment for companies.
Take, for example, Fuji Bank, which reportedly found a virus attached to some outgoing e-mails, telling customers they were "stupid jerks".
According to Graham Cluley, senior technology consultant at anti-virus company Sophos, other viruses will post to sex news groups in your name.
Thompson says that traditionally companies have differentiated between active Web content and viruses. But as more viruses become Internet or Web-based, the line between these two categories is blurring. As ActiveX controls become a problem, anti-virus writers are adding them into their programs, he says.
Kroll criticises anti-virus software because it generally has to refer back to a central database for updates on new viruses that have been released into the public domain. This means that even anti-virus software that checks for malignant active Web content will always be slightly out-of-date, even if it is just by a few hours. His own software, on the other hand, uses internal algorithms to check the code autonomously, meaning that it does not have to refer back to a central system.
The truth is that even the Finjan software is not completely watertight. Surfingate, for example, won't block outgoing content of a suspicious nature, admits Kroll, so you have to ensure that your staff do not unwittingly send Trojan horses they may have loaded from a floppy.
Surfinguard checks executable software to make sure it does not do anything suspicious. This means it would catch software such as Happy99.exe, the executable program that showed an animation but covertly installed itself on your machine and attached itself to all outgoing e-mails.
The problem arises if an installation program is sent to you for a seemingly innocuous program - say, a screenshot capture utility or a game - which once installed purposely avoids delivering its payload until it had been executed a few times. Kroll admits that the software would not catch such a program, but points out that the company has not come across any viruses of this type. Still, if the past efforts of virus and Trojan horse writers are anything to go by, it is only a matter of time.
While products such as Finjan's are useful, there are other methods that Thompson calls "synergistic controls". While they don't do much on their own, they have a combined effect when used together. Examples of this are the use of rich text format files (those with a .rtf extension) when saving word-processed documents. This can prevent the use of macro viruses that embed themselves in Word documents and execute procedural code on your system.
However, it is not fail safe because a smart virus writer could save a .doc Word file with a .rtf extension. An even better method is to use a different word processor altogether, says Thompson.
Write-protecting your normal .doc file can help, he says. Many more tips can be found at his company's Web site.
The most important tool of all in the battle against malicious code is common sense.
Software such as Finjan's and Sophos' is very useful, but on its own it will not save your hide. Implement a comprehensive policy for dealing with incoming content to increase your chances of running a clean system.
Viruses, Trojans and Zombies
April 2000: The FBI reports the 911 worm, which spreads by copying itself to Internet-attached computers configured to share their files. It reportedly tries to dial 911 (the US emergency services number) from the computer and is also able to format the hard drive. It is later dismissed as being poorly written and being a relatively weak threat
February 2000: Several large e-commerce sites are hit by distributed denial of service attacks. Such attacks are caused by tools such as Trinoo and Tribal Flood Network (TFN) which install themselves on Unix systems and simultaneously trigger denial of service attacks against specific sites, flooding them with network packets
Dec 1999: David Smith pleads guilty to creating the Melissa virus, which spread by mailing itself to the first 50 people in a computer's e-mail list
Dec 1999: Babylonia W95 detected, a virus that changes form and downloads files from an Internet server in Japan that can be used to damage the host system
Nov 1999: Companies warned about Prilissa virus, which spreads itself through an infected document and formats the C drive at Christmas
Nov 1999: Dell closes Limerick factory for two days after being hit by the Funlove virus