Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

4/24/2007
06:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Startup on Search and Destroy Mission

Robot Genius to team with ISPs, search-engine, and firewall vendors to find Web-borne malware in real-time

Startup Robot Genius, which officially launches on Monday after nearly two years in stealth mode, is trying to change the way malware gets detected on Websites.

The Oakland-Calif.-based company, which was founded by university physicists formerly with SafeWeb (now part of Symantec), has built a server farm that automatically and continuously searches, finds, and analyzes Windows-based malware on Websites and then stores the results in its XML database. The end result is a real-time blacklist of URLs with malware that could be used by search engine providers, ISPs, and firewall vendors, according to the company.

"Our Web crawling and analysis farm has scoured the entire Web and downloaded every single software package that runs on Windows, and we determine which are malware," says Stephen Hsu, co-founder of Robot Genius and professor of theoretical physics at the University of Oregon. "We know all URLs that point to infection."

Web-born malware is definitely on the rise. Sophos, for instance, found an average of 5,000 new infected Web pages each day from January through March, according to a new report released by the malware company today. (See Sophos Reveals Rise of Malware.)

Robot Genius also plans to roll out a lightweight browser plug-in called RGguard that works with the so-called RGCrawler Data service that alerts users with familiar color-coded Website indicators in their search results. It also will offer an enterprise version of the tool so IT administrators can block users from downloading and browsing malware-ridden sites altogether.

Although the company initially developed the Web-crawling malware-analysis engine to test its as-yet unannounced Windows security client software -- Spyberus -- RGCrawler Data and RGguard may instead end up being its bread-and-butter. "We wanted to test our security client against the Webcrawler" and database, Hsu says. "We've gotten more interest in the data than we have in the security client, mostly because that's already a crowded space." The company has venture capital backing from Kingdon Capital and Venio Capital Partners.

Hsu says the company has refocused its strategy more toward the RGCrawler Data data-as-a-service. "In a few weeks, we'll ship version 1.0 of our client, and in a few months, we'll announce that certain firewall companies, ISPs, and search engines have signed subscriptions for our [malware] data."

Spyberus is different from most client security tools in that it sits at the driver level of the operating system, so it can watch and record activity there, including files that get modified, and any kernel action. It uses behavior-based detection, not signature-based, and can detect rootkits. And it's not for preventing attacks -- just for remediation after an attack. "It can roll back an infection long after the infection occurs," Hsu says.

"If a program tries to do something [suspicious] like drop its own driver on a system or install a keylogger, we will catch and warn you," he says. "Our product would be complementary to regular AV, but it could also be used in lieu of it."

Not quite as a replacement, however, says Peter Firstbrook, a research manager with Gartner. Spyberus is more a feature than an actual product, Firstbrook says, so it wouldn't be a replacement for antivirus. "It's a great add-on for AV for cleanup." That's something AV vendors can't easily provide with their current model of detection, he adds, especially when viruses start deleting themselves on the machine. "Once that happens, it's hard for AV to clean it up."

Meanwhile, Robot Genius's RGCrawler and RGguard technology would allow browsers and search engines to go beyond pinpointing phishing sites -- to sites that carry any malware. "Right now, Microsoft IE7 warns you if a Website is suspected to be a phishing site," Hsu says. "We extend beyond phishing impersonation, to all of the software on the Web that you might download -- it's all been tested in our lab. We have a lot of machines and they do extensive analysis of it."

The company's large malware database indeed should appeal to AV and other security vendors, Gartner's Firstbrook says. "They have a source of malware, like a honeypot, that others could use to make sure their [products] work against that malware, as well as a list of sources where that malware comes from." Firstbrook envisions Robot Genius selling this to URL-filtering vendors, which are more reactive than proactive like Robot Genius.

But Robot Genius's technology does not solve the problem of zero-day attacks, however. "It's still not quite a zero-day" detection technology, he says.

Robot Genius may have some data that could indeed scare AV vendors at least into considering adding its technology to their toolsets. Hsu says the company currently runs AV software from McAfee, Symantec, Trend Micro, and Microsoft (Windows Defender) alongside Syberus to gauge how well these tools catch malware. "None of the scanning engines has full coverage," says Hsu, who wouldn't name names. "The best has 60 percent and the worst, 15-20 percent."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19619
PUBLISHED: 2019-12-06
domain/section/markdown/markdown.go in Documize before 3.5.1 mishandles untrusted Markdown content. This was addressed by adding the bluemonday HTML sanitizer to defend against XSS.
CVE-2019-19616
PUBLISHED: 2019-12-06
An Insecure Direct Object Reference (IDOR) vulnerability in the Xtivia Web Time and Expense (WebTE) interface used for Microsoft Dynamics NAV before 2017 allows an attacker to download arbitrary files by specifying arbitrary values for the recId and filename parameters of the /Home/GetAttachment fun...
CVE-2019-19617
PUBLISHED: 2019-12-06
phpMyAdmin before 4.9.2 does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes/Footer.php.
CVE-2012-1114
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the filter parameter to cmd.php in an export and exporter_id action. and the filteruid parameter to list.php.
CVE-2012-1115
PUBLISHED: 2019-12-05
A Cross-Site Scripting (XSS) vulnerability exists in LDAP Account Manager (LAM) Pro 3.6 in the export, add_value_form, and dn parameters to cmd.php.