The attackers already know how their code works, because they wrote it, so I don't understand the problem with leveling the playing field by sharing data with defenders. You don't want them to know you know? It seems obvious that people are reversing malware. 
It seems like a good point that they can react to IOCs just as easily as reacting to unpackers though, no? (These are things like hashes, filenames, hostnames, yara sigs, etc that are all easily rotated, right?)
-
-
And they do. I made a yara rule for document detections that I have to now update because they reacted to it and changed.
-
We're already forcing them to change with IOCs. At a certain point you're just needlessly showing all the cards in your hand though.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
