Status: Ongoing
Virusbattle is a web service that analyses malware and other binaries with a variety of advanced static and dynamic analyses. It was designed to be scalable and extendable, such that it can scale up to analyze millions of samples with a few or many different types of analysis. A new type of analysis can be added dynamically to extend Virusbattle’s capabilities. Virusbattle is created on the Storm pipeline, which gives it its scalability. Storm can continually be expanded by adding new nodes, which allows us to scale ad infinitum. Data is stored on MongoDB, an open NOSQL database that streamlines our backend across the Storm instances. While Virusbattle is primarily a backend system, we also have created a website front-end to allow the public to access these resources (at virusbattle.com). This website, written in php, interfaces with the rest of our system to allow analysis requests to be submitted and the results to be viewed anywhere. Currently, we have integrated analyses based on: Juice, a type of static analysis based on the generalized assembly code; Minhash, a type of static analysis that operates of the Juice of clusters of binaries; Concolic, a type of dynamic analysis that forms trees of the execution states of a binary; and an unpacker that analyses binaries and tries to unpack them if they are packed.