Isn't that just how TI/CounterIntel works? We're not going to share information that could negatively impact ongoing investigations over public channels that can be viewed by anybody. Especially when emotet can change as quickly as they already do
-
-
Replying to @lazyactivist192 @MalwareTechBlog and
Does that dude work in CI? I don’t, so I post what I want - not everybody has the same roles. If it forces the Emotet authors to change their code then it’s something interesting (and yes, bad for threat intel companies).
1 reply 0 retweets 1 like -
Replying to @GossiTheDog @lazyactivist192 and
Forcing the Emotet authors to change their code provides zero value to defense.
2 replies 0 retweets 6 likes -
Replying to @MalwareTechBlog @lazyactivist192 and
I think anything that challenges attackers adds value.
2 replies 0 retweets 10 likes -
Replying to @GossiTheDog @MalwareTechBlog and
Oh, so like the IOCs that we produce? And the victim notification that we do? Thats gotta challenge the attackers without just handing them our research.
2 replies 0 retweets 3 likes -
Replying to @lazyactivist192 @GossiTheDog and
The attackers already know how their code works, because they wrote it, so I don't understand the problem with leveling the playing field by sharing data with defenders. You don't want them to know you know? It seems obvious that people are reversing malware.
3 replies 0 retweets 6 likes -
Replying to @taviso @lazyactivist192 and
some people (who work for TI companies) have economic incentives to not want these tools shared, because it fucks their competitive edge and means they have to do a rewrite.
1 reply 0 retweets 2 likes -
Replying to @friedphishes @taviso and
Or, Its because I like enjoying my weekend and not retooling so that we can have 100% visibility at all times. I know "Companies Bad", but lets not forget that we're all people too. Personally, I had tools like this before I got a job.
2 replies 0 retweets 1 like -
Replying to @lazyactivist192 @friedphishes and
I see value in professional analysts tracking bad actors. I also get you feel it's an advantage that don't have to publish what you know, but malware authors do. That said, I think it's a pretty weak advantage, because it's no secret that people track botnets and unpack malware.
1 reply 0 retweets 0 likes -
Replying to @taviso @friedphishes and
But *how* we are unpacking the malware is important too. And thats something that the actors can definitely change.
1 reply 0 retweets 0 likes
Hmm, not convinced about that, it's not like there's a malware author who thinks you can't unpack their code. If there is, you probably don't have to worry about them doing anything too advanced 
-
-
Replying to @taviso @lazyactivist192 and
As I said earlier, it's not that they don't know, it's that they can't respond to every analyst ever, but someone releasing a public tool for all is likely to result in a reaction.
0 replies 0 retweets 7 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
-
Show additional replies, including those that may contain offensive content
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.