06:13 PM
Connect Directly
Repost This

Malware Analysis Researchers Announce New Startup

Lastline comes out of stealth with big data-based offering for catching advanced attacks

A group of academic researchers who recently built a botnet-hunting prototype today officially launched a new startup that offers a cloud-based analysis of today's advanced malware.

Lastline emerged from stealth mode with its first product offering after being founded last year by Northeastern University researcher Engin Kirda and University of California-Santa Barbara researchers Christopher Kruegel and Giovanni Vigna. The new Previct product is a sensor that performs real-time traffic analysis to root out malicious code as well as command-and-control (C&C) traffic.

Kirda, Kruegel, and Vigna were part of a team of international malware analysis experts who created Disclosure, a tool that expands the view of botnet activity to a wider scale and detects C&C traffic in real-time. The prototype can sniff out previously unknown botnets, as well, the researchers say, and uses NetFlow in addition to custom features that provide more intelligence for catching botnets.

"We have been working on the problem of sophisticated malware for a long time," says Jens Andreassen, CEO of Lastline.

Previct sits behind the firewall and inspects incoming and outgoing traffic; it is available either as an appliance or software solution. It's not an intrusion prevention system, however, its founders say.

"We see it as a new layer of defense. IPSes look for denial-of-service attacks or SQL injection against a Web server. We don't do that," says Kruegel, co-founder and chief scientist at Lastline.

Lastline is addressing APT and other targeted attacks, he says. "If a user gets an email and clicks on a link that leads to a drive-by site or to an executable, we can detect a drive-by attacking coming in against that user. Or if an exploit is successful and loads actual malware, we will see the malware on its way in," he says.

Kruegel says Lastline's technology leverages the researchers' skills and development in big data and program analysis. "We have machine-learning on large-scale data sets. We collect NetFlows, DNS resolutions, and [can determine] what happened in their traffic" using custom algorithms, he says.

The goal is to provide organizations with threat information in an automated way and before they get infected or breached.

AV is not enough to catch malware anymore, co-founder and CTO Vigna says. "You need to have behavioral analysis to detect viruses. And now behind that, the next step is it has to be correlated with the network activity of a person on the network ... This is a new class of tools that looks at how the network behaves and what artifacts have been put in the network. We're aggregating this [intelligence] at a high level so it's a global view of the [threat]," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web