Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:45 AM
Connect Directly

Startup on Search and Destroy Mission

Robot Genius to team with ISPs, search-engine, and firewall vendors to find Web-borne malware in real-time

Startup Robot Genius, which officially launches on Monday after nearly two years in stealth mode, is trying to change the way malware gets detected on Websites.

The Oakland-Calif.-based company, which was founded by university physicists formerly with SafeWeb (now part of Symantec), has built a server farm that automatically and continuously searches, finds, and analyzes Windows-based malware on Websites and then stores the results in its XML database. The end result is a real-time blacklist of URLs with malware that could be used by search engine providers, ISPs, and firewall vendors, according to the company.

"Our Web crawling and analysis farm has scoured the entire Web and downloaded every single software package that runs on Windows, and we determine which are malware," says Stephen Hsu, co-founder of Robot Genius and professor of theoretical physics at the University of Oregon. "We know all URLs that point to infection."

Web-born malware is definitely on the rise. Sophos, for instance, found an average of 5,000 new infected Web pages each day from January through March, according to a new report released by the malware company today. (See Sophos Reveals Rise of Malware.)

Robot Genius also plans to roll out a lightweight browser plug-in called RGguard that works with the so-called RGCrawler Data service that alerts users with familiar color-coded Website indicators in their search results. It also will offer an enterprise version of the tool so IT administrators can block users from downloading and browsing malware-ridden sites altogether.

Although the company initially developed the Web-crawling malware-analysis engine to test its as-yet unannounced Windows security client software -- Spyberus -- RGCrawler Data and RGguard may instead end up being its bread-and-butter. "We wanted to test our security client against the Webcrawler" and database, Hsu says. "We've gotten more interest in the data than we have in the security client, mostly because that's already a crowded space." The company has venture capital backing from Kingdon Capital and Venio Capital Partners.

Hsu says the company has refocused its strategy more toward the RGCrawler Data data-as-a-service. "In a few weeks, we'll ship version 1.0 of our client, and in a few months, we'll announce that certain firewall companies, ISPs, and search engines have signed subscriptions for our [malware] data."

Spyberus is different from most client security tools in that it sits at the driver level of the operating system, so it can watch and record activity there, including files that get modified, and any kernel action. It uses behavior-based detection, not signature-based, and can detect rootkits. And it's not for preventing attacks -- just for remediation after an attack. "It can roll back an infection long after the infection occurs," Hsu says.

"If a program tries to do something [suspicious] like drop its own driver on a system or install a keylogger, we will catch and warn you," he says. "Our product would be complementary to regular AV, but it could also be used in lieu of it."

Not quite as a replacement, however, says Peter Firstbrook, a research manager with Gartner. Spyberus is more a feature than an actual product, Firstbrook says, so it wouldn't be a replacement for antivirus. "It's a great add-on for AV for cleanup." That's something AV vendors can't easily provide with their current model of detection, he adds, especially when viruses start deleting themselves on the machine. "Once that happens, it's hard for AV to clean it up."

Meanwhile, Robot Genius's RGCrawler and RGguard technology would allow browsers and search engines to go beyond pinpointing phishing sites -- to sites that carry any malware. "Right now, Microsoft IE7 warns you if a Website is suspected to be a phishing site," Hsu says. "We extend beyond phishing impersonation, to all of the software on the Web that you might download -- it's all been tested in our lab. We have a lot of machines and they do extensive analysis of it."

The company's large malware database indeed should appeal to AV and other security vendors, Gartner's Firstbrook says. "They have a source of malware, like a honeypot, that others could use to make sure their [products] work against that malware, as well as a list of sources where that malware comes from." Firstbrook envisions Robot Genius selling this to URL-filtering vendors, which are more reactive than proactive like Robot Genius.

But Robot Genius's technology does not solve the problem of zero-day attacks, however. "It's still not quite a zero-day" detection technology, he says.

Robot Genius may have some data that could indeed scare AV vendors at least into considering adding its technology to their toolsets. Hsu says the company currently runs AV software from McAfee, Symantec, Trend Micro, and Microsoft (Windows Defender) alongside Syberus to gauge how well these tools catch malware. "None of the scanning engines has full coverage," says Hsu, who wouldn't name names. "The best has 60 percent and the worst, 15-20 percent."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.