"The number one threat to corporate networks is spyware and malicious code," says Shimon Gruper, executive VP of Aladdin Knowledge Systems. "Everybody fights viruses, but people don't know what spyware is and how to deal with it."
Aladdin is the company which made headlines recently by discovering just how many sex webpages hide malware. Antivirus pioneer and former Israeli Air Force security expert Gruper brought his anti-malware knowledge to Aladdin in 1998 when it acquired eSafe Technologies, which he had founded.
He says that the big difference between viruses and other malware such as spyware is not the aim - both now are being written with criminal intent, such as the theft of passwords and other personal data, or spam forwarding. Instead, it is the method of infection, which makes spyware a lot harder to fight. Often this uses flaws in browsers, especially Microsoft IE, to download and install malware, with or without the user's consent.
"Email and Web browsing are the two main conduits," he says. "Email comes in and you don't control it, viruses are prevalent so you need good antivirus.
"The Web is completely different. - you don't normally download viruses, but you don't know in advance when a site is malicious. It's not mass mailing viruses, it's embedded spyware waiting for you. That needs a completely different technology to fight it."
There are spyware detectors about, some highly regarded for what they do, such as AdAware, but most work on the basis of scanning for known spyware signatures - ie. pieces of code or registry keys that they already recognise. Only a few, such as Spybot Search & Destroy try going beyond that to watch for unusual behaviour that might indicate the presence of new and unrecognised spyware - and even then they are rarely centrally managed, and a non-technical user may not understand the alerts that they generate.
Shimon Gruper argues that as commercial organisations generate spyware, which is then downloaded by visiting a website and without the user being aware, the signature detection method - which is of course the primary method used for detecting viruses - is going to become less and less useful.
"With websites, companies won't get a sample unless they go and get it, and there's millions of sites to visit," he says. "That's a major problem for spyware detection - getting samples. So signature detection technology works for viruses but not spyware - most spyware detectors pick up 65 to 70 percent, which would be completely unacceptable for antivirus. Microsoft's is 90 percent - it has put more effort into analysing samples because it has more resources."
He says that instead the way to block spyware is to focus on how it works and the resources it uses. This is how the eSafe gateway that he developed works, but the same principles can be applied in other ways too.
"We have four different techniques to fight spyware, some based on its behaviour - when it's downloaded, it must contain certain elements that we've seen before, for example read registry keys or open non-standard ports. Also there are technologies watching for exploitation of known security holes, and then it's how spyware communicates home - that's usually not unique to spyware, the protocol is a common one," he says.
"Arming yourself with knowledge is the first thing. Then it's deploying solutions to block questionable and pornographic sites. We used a Web crawler and found 80 percent of porn sites have spyware on them, so block access to those.
"Number two is educate users to not click OK to every installation dialogue. Number three, if possible, is to raise the browser security level to not install from the Web."
He warns though that while a switch away from Microsoft IE could help to some extent, it will not be a complete solution - his team has already seen spyware for Firefox, as well as code which can attack IE via another browser. "Firefox is a good solution for individuals, it has security holes but they are less exploited," he says.
The IT security business is changing now, he says, as the threat shifts away from script-kiddies and people who crack systems for the intellectual challenge, towards those who break in for financial gain. Plus, as systems get more complex, they also acquire more defects.
"It's not for fun anymore, these are serious people who know what they are aiming for," he says. "Viruses are professional now, and we will see more sophisticated viruses as more money is put into finding holes.
"The number of holes found in the last five hears is exponentially higher than in the previous five years. It's not that Windows has more holes than Linux, but Linux is not on every desktop, and the people running it apply the patches.
"We think a lot of organisations neglected Web security and focused on email security. This year will be the year of rushing to implement browser security."