Most of you probably haven't the faintest clue who Zynamics is. They're based in Germany and used to be called Sabre Security. This is Halvar Flake's team; they sell BinDiff (the most popular binary diffing tool in reverse engineering, used by teams around the world to back security patches out to learn about flaws), along with BinNavi, a popular debugger-based reverse-engineering tool.
For the past few years, they've been working on an engine called VxClass that uses control flaw graph analysis to automatically classify malware. One presumes this is what motivates the acquisition. Google already scans content on the Internet for malware.
Or it could be mostly a talent thing. Google's been on a hiring tear. Extremely strong software security talent isn't easy to come by. Lord knows Halvar's got it. Zynamics is hugely well-known and respected in the software security world.
Like a lot of folks, I'm curious how this will effect sales of BinDiff and BinNavi (I don't see Google in the business of selling security software); but this should be really good news for Halvar and Co.
Curious if you happen to know the answer to this... but some eBooks I've seen when run through antiVirus programs report being 50% MATLAB. I can't tell where this comes from or if it means anything at all. Does MATLAB in PDF files ring any sort of bell for you?
They do different things, so I'll give you an overview:
HBGary have a tool called FastDump Pro for imaging memory. What Responder does is it takes (or acquires) a memory image and reconstructs the processes and left over memory modules. It also reconstructs details of open files, sockets, registry entries etc. at the time of the snapshot.
Responder Pro has a thing called Digital DNA (which backs up nearly all of HBGary's enterprise products) - it's a mechanism that looks for potentially malicious code (I say potentially because it's easily triggered by things like McAfee because it has a load of strings in memory at any one point in time). Digital DNA uses known indicators to look for specific signs of things like keyloggers. It's not 100% but it usually reduces analysis time by a lot.
There's a fairly straight forward disassembler, you can look at strings tied to processes and memory modules, check for hooked SSDT, IDT entries etc. and there's a canvas type function for mapping out a processes' structure. There's a C# interpreter for scripting but it's not well documented so most of our guys don't use it much for other than basic scans for specific things.
Recon comes with responder pro and is used to test potentially malicious code pulled off disk in a VM. You define how long it's going to run for then it runs the code under the VM. You can then go back to responder and there's an actual slider that shows you all the changes from registry, files, even cpu registers over time so you can zoom in on your process and see the encryption algorithm in the malware decrypting and flip back and forth, which makes it really cool for basic malware cryptanalysis when you're me and not you :) - it's also handy for extracting 0day from exploit code because you get to see what's being exploited and how, so you can quickly write a cheeky canvas/metasploit module.
There's another tool called flypaper that stops the process in recon from exiting, which can be quite handy.
Although the company's in a bit of disarray at the moment the products are really great for malware analysis, and could be used for exploit dev (but I wouldn't).
I would love to know what the typical acquisition process for Google is like. Where does it start (product team, management, engineering, etc)? How long does it take? How intense are the negotiations? Are deals typically cash or stock?
My understanding is that the level of disclosure depends on the circumstances. For small acquisitions by large companies, it's generally difficult to find information, especially for an asset purchase. For larger acquisitions (and other transactions) by US-listed public companies, if the threshold of materiality is met--usually around 5% of the pre-transaction market value of the acquirer--there will typically be public disclosure of the consideration paid, and sometimes further documentation such as fairness opinions, etc.
That said, the individual employees are typically subject to all kinds of agreements as part of the acquisition, including NDAs.
Halvar is pretty much a baller in the security industry. I met him and immediately knew he was brilliant, even putting all the history and his contributions aside. Talking to him about some of the things I was working on was enlightening.
Kudos to him and his team. BinDiff is a great product.