Correct!VirusBuster wrote:Minibis could be seen as not for the masses because it was designed to analyze thousands of malwares but the same it can analyze 25k samples it can analyze 1.
It depends on what's needed. Usually a researcher initially doesn't look into the code - that's what Ida, Olly, etc. are for. First you just want to know in a quick way with what you're dealing with. Then, if it's necessary or relevant you might take a look at the code.VirusBuster wrote:Do malware-researchers really need to analyze thousands of malware samples? I donÂ´t think so. They usually analyze malware samples one by one and manually, using decompilers like IDA or debuggers like OllyDbg.
Btw., IDA is no decompiler, though hexrays are selling an decompiler-plugin for their Disassembler/Debugger IDA Pro. So, don't merge this up.
I wouldn't want to tell the advanced user that is really interested in my tool what to do.VirusBuster wrote:Do advancer users have 25k malware samples? DonÂ´t think so, but even if they do... do they need to analyze them? Again, I donÂ´t think so. I donÂ´t see a reason for that.
That's just ONE scenario where mass analysis can make sense. There are way more than this. How do you think are Malware trends identified. How do you think statistical data is produced for list i.e. the top-ten of Windows autostart-possibilities used by malware-authors. How do you think it's possible to find out eventually other malware that seem to be created by the same developer, or the same frameworks/tools. And so on - there are really a lot.VirusBuster wrote:Being realistic mass malware analysis tools are intended for antivirus companies that need to filter between the big amount of files they receive to discard between harmless and potentially dangerous files. Checking all they get one by one would be impossible nowadays.
That really depends on too much influences.VirusBuster wrote:If an antivirus-company must do mass malware analysis, on what option will they rely? Probably in their own solution or on a professional solution like Norman Sandbox Analyzer.
There is a market - that's it's big I never mentioned.VirusBuster wrote:So I think a good question is: Is there a "market" for public malware analyzers? It exists but itÂ´s very very little.
Mainly CERTs - that's why I made it public. It's a common approach in the CERT community to share instrumentation.VirusBuster wrote:Then who will be using public malware analyzers? Mainly advanced users, not malware researchers because they donÂ´t need that neither antivirus companies because they will use or their own solution or a professional one.
No, see above.VirusBuster wrote:So in my opinion the scope of the publicly available malware analysis tools (mass analyzer or not) are the advanced users.
I'm from a national and government CERT, I guess I know what our branch is doing. ;-)VirusBuster wrote:I will not comment about CERTs because I donÂ´t really know if they process big amounts of samples or they mainly work with honeypots.
And to answer your question: They do, one more the other less, that depends on many things.
That's correct for the normal advanced users. But for CERTs and AV-vendors from time to time, too, there are periodicly scenarios where nothing is allowed to become public - so, no Anubis and so.VirusBuster wrote:How do most of the advanced users prefer to make malware analysis? Probably using online malware analyzers like Anubis, ThreatExpert, JoeBox, etc. Why? I think because they are afraid of possible infections so they are safe using online tools.
I don't really care a lot regarding this, as they are not my main-constituency. I just decided to let also the public (not CERT or researcher) guy participate in my work.VirusBuster wrote:From the advanced users that donÂ´t mind hosting a malware analyzer, what do they prefer: a Linux or a Windows based malware analyzer tool? Windows, of course, because they want to check if a program is trustable to later install it in their system. Having to make the analysis under Linux to analyze a Windows application is not practical for them.
You're still merging up two different things. Instruments for fast analysis of lots of samples; and indepth code-analysis (mainly) on Windows PE files (executables).VirusBuster wrote:For all the above reasons is why I think malware analysis tools must be hosted under Windows. The few persons (letÂ´s be realistic, probably just the 1 or 2% of computer users use them) that will use that kind of tools work with Windows.