informa
News

Startup on Search and Destroy Mission

Robot Genius to team with ISPs, search-engine, and firewall vendors to find Web-borne malware in real-time

Startup Robot Genius, which officially launches on Monday after nearly two years in stealth mode, is trying to change the way malware gets detected on Websites.

The Oakland-Calif.-based company, which was founded by university physicists formerly with SafeWeb (now part of Symantec), has built a server farm that automatically and continuously searches, finds, and analyzes Windows-based malware on Websites and then stores the results in its XML database. The end result is a real-time blacklist of URLs with malware that could be used by search engine providers, ISPs, and firewall vendors, according to the company.

"Our Web crawling and analysis farm has scoured the entire Web and downloaded every single software package that runs on Windows, and we determine which are malware," says Stephen Hsu, co-founder of Robot Genius and professor of theoretical physics at the University of Oregon. "We know all URLs that point to infection."

Web-born malware is definitely on the rise. Sophos, for instance, found an average of 5,000 new infected Web pages each day from January through March, according to a new report released by the malware company today. (See Sophos Reveals Rise of Malware.)

Robot Genius also plans to roll out a lightweight browser plug-in called RGguard that works with the so-called RGCrawler Data service that alerts users with familiar color-coded Website indicators in their search results. It also will offer an enterprise version of the tool so IT administrators can block users from downloading and browsing malware-ridden sites altogether.

Although the company initially developed the Web-crawling malware-analysis engine to test its as-yet unannounced Windows security client software -- Spyberus -- RGCrawler Data and RGguard may instead end up being its bread-and-butter. "We wanted to test our security client against the Webcrawler" and database, Hsu says. "We've gotten more interest in the data than we have in the security client, mostly because that's already a crowded space." The company has venture capital backing from Kingdon Capital and Venio Capital Partners.

Hsu says the company has refocused its strategy more toward the RGCrawler Data data-as-a-service. "In a few weeks, we'll ship version 1.0 of our client, and in a few months, we'll announce that certain firewall companies, ISPs, and search engines have signed subscriptions for our [malware] data."

Spyberus is different from most client security tools in that it sits at the driver level of the operating system, so it can watch and record activity there, including files that get modified, and any kernel action. It uses behavior-based detection, not signature-based, and can detect rootkits. And it's not for preventing attacks -- just for remediation after an attack. "It can roll back an infection long after the infection occurs," Hsu says.

"If a program tries to do something [suspicious] like drop its own driver on a system or install a keylogger, we will catch and warn you," he says. "Our product would be complementary to regular AV, but it could also be used in lieu of it."

Not quite as a replacement, however, says Peter Firstbrook, a research manager with Gartner. Spyberus is more a feature than an actual product, Firstbrook says, so it wouldn't be a replacement for antivirus. "It's a great add-on for AV for cleanup." That's something AV vendors can't easily provide with their current model of detection, he adds, especially when viruses start deleting themselves on the machine. "Once that happens, it's hard for AV to clean it up."

Meanwhile, Robot Genius's RGCrawler and RGguard technology would allow browsers and search engines to go beyond pinpointing phishing sites -- to sites that carry any malware. "Right now, Microsoft IE7 warns you if a Website is suspected to be a phishing site," Hsu says. "We extend beyond phishing impersonation, to all of the software on the Web that you might download -- it's all been tested in our lab. We have a lot of machines and they do extensive analysis of it."

The company's large malware database indeed should appeal to AV and other security vendors, Gartner's Firstbrook says. "They have a source of malware, like a honeypot, that others could use to make sure their [products] work against that malware, as well as a list of sources where that malware comes from." Firstbrook envisions Robot Genius selling this to URL-filtering vendors, which are more reactive than proactive like Robot Genius.

But Robot Genius's technology does not solve the problem of zero-day attacks, however. "It's still not quite a zero-day" detection technology, he says.

Robot Genius may have some data that could indeed scare AV vendors at least into considering adding its technology to their toolsets. Hsu says the company currently runs AV software from McAfee, Symantec, Trend Micro, and Microsoft (Windows Defender) alongside Syberus to gauge how well these tools catch malware. "None of the scanning engines has full coverage," says Hsu, who wouldn't name names. "The best has 60 percent and the worst, 15-20 percent."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Recommended Reading: