How Different Are Malware Collected Actively and Passively?

-A new open-source tool chain with malware collection, detection, and analysis is presented, evaluated, and open sourced. It actively collects malware through two channels: web-links and peer-to-peer. Then it detects malware with multiple anti-virus scanners and analyzes their host and network activities on virtual machines. The evaluation shows the differences between the malware collected by the traditional passive honeypot approach and this active approach, in the aspects of distribution, timeliness, and degree of network and host activity, i.e., activeness. These two collections are quite distinct and disjoint. Among the 800 and 354 malware programs collected in one month actively and passively, respectively, 79% of the passively captured malware are active bots and 59% of the actively captured malware are passive Trojans. 16% of actively captured are zero-day malware, but no zero-day malware had been captured by the passive approach. Moreover, the passive approach receives mostly, 98%, malware with network behavior while the active approach collects both, i.e., 77% with network behavior and 23% with only host behavior or no action.