An Israeli start-up claims it may be able to put an end to the viruses, malware, and trojan horses that cost the world economy hundreds of billions of dollars a year. Not only does Cyactive say it can stop viruses that are already “in the wild,” currently causing damage, but according to CEO & Co-Founder, Liran Tancman, it can beat them most of them even before they are invented.
The secret? Viruses are overwhelmingly evolutionary, not revolutionary. “Much of the code found in even major attacks is reused over and over again in new attacks,” Tancman said. “There has actually never been a virus that did not draw substantially on malware that was already in existence.”
Especially today, when hacking has become such a lucrative worldwide business, hackers need to produce. They don’t have time to reinvent the wheel; nor do they have to as things stand, said Tancman. “The problem is that cyber-security is reactive, not proactive. A company will spend hundreds of thousands or millions of dollars to secure themselves against a major malware variant, fighting off a specific attack.” But getting around those defenses is easy for a hacker. “All they have to do is insert some changes in their malware code, and they are in the clear. For $150, a cybercriminal can hire a hacker to do $25 million of damage, and then do it again a few months later, making very minor changes to their malware code.”
Tancman, a former head of Cyber-strategy in an elite IDF intelligence unit with a decade of experience in Israel’s intelligence corps, has been thinking about this phenomenon for a long time — and has developed what he believes can become the solution to all malware and viruses, present and future. “If we can develop defenses against the core of the malware, the 98% of the code that is just a variant of existing malware, we could end virus attacks for good,” Tracman said.
Cyactive has developed smart algorithms that Tancman says explore and analyze malware to see where it came from, and where it is going. “You can see very clearly what the ‘keychain of exploitation’ is, the methods hackers are using now and the variants they are likely to use,” said Tancman. “Even the major attacks of recent years, like Flame, Stuxnet, and others, use a similar core.” For hackers, there really is no alternative; they have neither the time, resources, or even skills to build a whole new exploitation keychain that will attack systems from other angles, he claims.
To be fair, hackers are just responding to the derivative work being done by programmers. For example, a specific piece of malware, the Linux.Darlloz worm, was developed several years ago to attack a vulnerability in Linux-based machines running PHP, a scripting language. The worm was “patched” (resolved) in 2012, but has in recent months taken on new life to attack computer systems that cannot be patched by users — such as the computer chips installed in “Internet of Things” devices like refrigerators and washing machines.
This, according to Tancman, is an excellent example of why he established Cyactive. With a slight change to allow it to hit non-PCs, “the Linux.Darlloz worm demonstrates the risk of code reuse in environments that don’t support patches or antivirus software,” he wrote in a recent blog post. “The embedded machines used in the ‘Internet of Things,’ based on known operating systems (or their derivatives), carry on the same vulnerabilities as servers and PCs using those OS, as do all devices using such derivatives. Hackers have taken advantage of reusing code in such environments and therefore these attacks will probably be the first option malware programmers will turn to when attacking the Internet of Things.”
If hackers are able to stage a major attack in which they hack into “smart” washing machines around the world to ruin clothing by running the hot cycle on permanent press clothing, Linux.Darlloz may be the way to do it. The hard work and effort to patch the virus will have gone to naught if it still manages to ruin tens of millions of dollars worth of clothing.
But Cyactive’s system can arrest that process, said Tancman. “Since we know what goes into such malware, we can defend against that specific vulnerability, as well as others that hackers are likely to go after that are related to the original hack,” he said. Cyactive’s system does this by analyzing the vulnerability and seeing what directions hackers are likely to take in order to “retool” it to get around existing anti-virus systems. “Instead of being on the defensive, we can develop these anti-virus tools before the new hacks are even created, putting the burden on the hackers,” said Tancman.
If he’s right, Tancman said, hacking will become almost impossible overnight, and even if hackers manage to develop new core technologies, all it would take is one attack for Cyactive to defang that new approach — and develop a new suite of anti-malware components to battle that new exploitation keychain. “Eventually hackers will get the message, that the work they are putting into hacking just isn’t paying off like it used to,” argues Tancman — with the result being an end to hacking as we know it.
This is not pie in the sky, according to Yoav Tzruya, a partner at Jerusalem Venture Partners (JVP) and a member of Cyactive’s board. “We met Liran and his co-founder and CTO Shlomi Boutnaru, and realized we had some special people here,” Tzruya said. “They are both acclaimed cyber-security professionals who have won major awards. What they are essentially doing is applying the principles of genetic computation to detect the next generation of viruses.”
Cyactive was established just last year, and was the first start-up accepted into JVP’s new cyber-security incubator, located in Beersheba. “They just started and already they are candidates for some large investments,” said Tzruya. “This technology is a great example of the cyber-security capabilities being developed in Israel at JVP’s incubator.”