How Any.Run Became the Most Popular Malware Sandbox in the World using Meteor.js.
This is a guest post written by our friends at ANY.RUN (Meteor users since 2016).
What is ANY.RUN?
We are creating a service that allows our clients all over the world to analyze, detect and monitor cybersecurity threats. ANY.RUN malware analysis service, our main product, is the first interactive online malware analysis sandbox where the user controls the flow of the analysis.
Imagine: you get access to the malware laboratory with lots of different tools within a second, and most of these features are free for our community. You can use it to analyze and research the latest malware samples from all over the web as if you were to launch it on your PC, but absolutely safe!
We do our best to make our community exchange information as much as possible and get access to the new malware samples for free. We also have paid subscriptions for malware analysts that means they don’t need to worry about the privacy of their analyses at all. Paid users also get extended functionalities such as different versions of operating systems, video recording, and teamwork.
ANY.RUN has more than 2 million public tasks with tons of malware samples and IOCs (Indicators of Compromise). You can analyze network, file, module, registry activity, interact with the OS directly from the browser window, and immediately see the feedback from your actions.
Also ANY.RUN conducts signature analysis and shows you whether your submission has a malicious or suspicious activity.
Our Tech Stack
The majority of the stack is developed in JS to make our solution more productive, and also to give an opportunity for all developers in our team to help each other and contribute to it.
It’s amazing that Meteor allows us to work with JS both at the back-end and front-end. That’s a huge advantage for us!
Moreover, MongoDB has native JS support, and works great together with Meteor as it is very convenient for real-time data output to the client. We would like to mention that communication between virtual machines and Node.js is a serious miracle; that’s why it’s developed on C++ to increase its speed by using native data transfer.
Of course, it’s not the only stack we use, we deal with different databases such as Redis, Elasticsearch, and OrientDB that allow our microservices to do internal work.
Our Journey with Meteor
ANY.RUN started its beginning back in 2016. Our relatively small team chose Meteor.js because it allowed you to have server-client interactivity out-of-the-box, which is exactly what we were looking for. We’ve had no regrets about the choice.
Interestingly, our development started with Blaze on a client side, as it’s handy for developing quick prototypes. As soon as our team grew, we switched to Vue.js. This jump was easy, as there is a 99% chance that Meteor can be used with any front-end library of your choice.
Since 2019, we are very proud to say so, ANY.RUN has become the most popular malware sandbox in the world. And still, our only development team is not that big: it absolutely fits Amazon’s Jeff Bezos’ rule that a team shouldn’t be larger than what two pizzas can feed.
Scaling Meteor for Highload
Scaling Meteor is very easy and exciting! When we decided to release our app to production, there was no particular guide on how to scale Meteor, so we had to find the way on our own.
Over time we came to a solution with a few Meteor instances run by pm2 routed and load-balanced with nginx.
Of course, as with any solution, there can be challenges at the point of scaling. We would like to share our experience with you:
One day we faced one serious issue with mongo oplog. It turned out that the CPU went to 100%, and we were working to the bone to find out the reason for it. First, our team decided to perform profiling, but it did not give much of a result, so then we decided to ask on the Meteor forum.
Happily, Meteor has a great community around it, and we have found a cult-of-coders redis-oplog package. After we integrated it with our service and node.js back-end, CPU went down to its 10–20%, and it hasn’t risen higher since then, knock on wood…
What’s Next?
ANY.RUN is a very fast-growing community of developers and malware researchers. Next year, we are going to release tons of awesome features and new services such as Threat Intelligence service.
We will extend our community version so there is a place where people can chat with each other and discuss the latest pieces of malware. So, stay tuned! Our small company has grown, and our goal is to beat the market with the best and most useful solution for malware analysts.
Our staff is rapidly growing too, and thus we can develop more complex and advanced features and services. We will raise the bar and go deeper into research and statistics to provide our customers with new huge amounts of data and features they need together with an amazing UI for the best user experience.
We hope you will hear a lot from us very soon!
Business Glance at Meteor
Meteor is not great just for production, but it is also good for prototyping purposes, to scale the idea of any solution. You can start with one person who will be responsible for everything and gradually divide it into the front-end, back-end, etc.
Moreover, prototype MVP can be done much faster on Meteor if you compare it with other frameworks (where you have to write front-end and back-end parts separately).
Think about your business logic, and don’t waste your time on things that every app has (like registration/authorization for example). Just use the ready package! Atmosphere.js has lots of them for Meteor.
Meteor packages make it easy to manage your team and focus on what really matters.
Challenges
We like the fact that Meteor is written in JS and, most importantly, is open-source. This helps when we face challenges, some parts don’t work properly and we’re confused about what to do — we can always look directly at Meteor’s source code and get how it all works quickly, or add functionality by ourselves. Nevertheless, we eventually get almost everything we have ever thought or dreamt of in Meteor.
There are some fundamental issues that we have to solve by ourselves. For example, websocket. The lack of websocket protection and connection between the front-end and a back-end that allows crawlers to automatically download all the data directly from the websocket without visiting the front-end part.*
It would be nice to have some sort of protection against that because the DDP limiter is not that safe when the bad guys have millions of IP addresses to use in such an attack.* (quick note here from the Meteor Team: we do have this, it comes prebuilt through our new “App Protection” feature on Galaxy Hosting).
Finally, we are in a happy, long-lasting relationship with Meteor. We have been using it for 4 years and are very satisfied with it.
We encourage the developer community to give it a try and find out how it will fit your business!
How Any.Run Became The Most Popular Malware Sandbox in the World with Meteor.js. was originally published in Meteor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.