Analysis of malware

What is claimed is: 1. A system comprising a first computing device running a security agent and a second computing device running a security service wherein: the security agent is configured to: determine context data associated with a file present at the first computing device; and transmit the context data and an indication of the file to the security service; and the security service is configured to: determine a synthetic context based on the context data; detonate the file in the synthetic context to provide detonation data, the detonation data including event records representing events detected during detonation of the file; determine, based on the event records, a first detectable indicator (DI) of a set of detectable indicators associated with the file, a first confidence level associated with the first DI indicating a degree of occurrence of the first DI in the set of detectable indicators; transmit the first DI to a security device, causing the security device to block a program that exhibits the first DI; and locate, in a corpus of malware samples, a malware sample that is similar to the file based on the detonation data. 2. The system according to claim 1 , wherein the security agent is configured to at least: carry out first operations to: block an attempt to execute the file; and determine the context data comprising at least some data associated with the attempt; or carry out second operations to: block an operation of the file during execution of the file, wherein the file comprises processor-executable instructions to carry out the operation of the file; and determine the context data comprising at least some data associated with the operation of the file. 3. The system according to claim 1 , wherein: the security service is further configured to: determine one or more second detectable indicators, Dls, based at least in part on at least the file or the malware sample; and transmit the one or more second DIs to the security device; and the security device is further configured to block a second program that exhibits at least one of the one or more second DIs. 4. The system according to claim 1 , wherein the security service is further configured to detonate the malware sample in the synthetic context. 5. A method of analyzing a first malware sample, the method comprising: determining a synthetic context based at least in part on context data associated with the first malware sample; detonating the first malware sample in the synthetic context to provide one or more first event records representing events performed by the first malware sample and detected during detonation; locating a second malware sample in a corpus comprising malware samples and second event records associated with the malware samples at least partly by selecting, from the malware samples, the second malware sample associated with one or more second event records that satisfy a predetermined similarity criterion with respect to the one or more first event records; determining a first behavior indicator based at least in part on the first event records; determining, for individual malware samples in the corpus, respective second behavior indicators based at least in part on the second event records associated with the individual malware samples; selecting, from the individual malware samples, the second malware sample having the respective second behavior indicator matching the first behavior indicator; and determining the first behavior indicator so that the first behavior indicator is not associated with a third sample, wherein the third sample is not known to be malware. 6. The method according to claim 5 , further comprising: determining, based at least in part on at least one of the first event records, a first task tree associated with the first malware sample, the first task tree indicating one or more first tasks; locating the second malware sample associated with a second task tree matching the first task tree, wherein the corpus comprises a plurality of task trees associated with the malware samples and the plurality of task trees comprises the second task tree. 7. The method according to claim 6 , wherein: the corpus comprises task-tree hash values associated with the malware samples; and the method further comprises: determining a first hash value based at least in part on the first task tree; and locating, in the corpus, the second malware sample having the associated task-tree hash value equal to the first hash value. 8. The method according to claim 7 , further comprising: determining the first hash value further based at least in part on at least: a file type of the first malware sample; a file size of the first malware sample; or a first event record representing network traffic initiated by the first malware sample during detonation. 9. The method according to claim 7 , further comprising determining the first hash value at least partly by: determining at least two invocation strings, each representing an invocation of a respective one of the one or more first tasks; determining a hash-input string comprising the at least two invocation strings; and determining the first hash value as a hash of the hash-input string. 10. The method according to claim 9 , further comprising determining at least one invocation string of the at least two invocation strings based at least in part on a corresponding command line by at least: replacing a pattern occurring in the command line with a corresponding marker string; removing characters in a predetermined set of characters from the command line; splitting arguments out of the command line; or sorting the arguments. 11. The method according to claim 5 , further comprising locating a third malware sample having at least one byte sequence or hash value in common with the first malware sample. 12. A method of analyzing malware, the method comprising: detonating a first malware sample based at least in part on context data associated with the first malware sample to provide one or more first event records representing events and detected during detonation of the first malware sample; determining a first detectable indicator of a set of detectable indicators based at least in part on the first event records; determining a first confidence level associated with the first detectable indicator; transmitting the first detectable indicator in association with the first confidence level via a network; locating a second malware sample in a corpus based at least in part on the one or more first event records; detonating the second malware sample based at least in part on the context data to provide one or more second event records representing events detected during detonation of the second malware sample; and determining the first confidence level associated with the first detectable indicator based at least in part on a degree of occurrence of the first detectable indicator in the set of detectable indicators. 13. The method according to claim 12 , further comprising: determining a second detectable indicator of a set of detectable indicators based at least in part on the first event records; determining a third detectable indicator of a set of detectable indicators based at least in part on the one or more second event records; determining a second confidence level associated with the second detectable indicator based at least in part on a degree of occurrence of the second detectable indicator in the set of detectable indicators; determining a third confidence level associated with the third detectable indicator based at least in part o