Yes, but by publishing the tools usually leads to evasive action by the malware developers.
-
-
Replying to @MalwareTechBlog @taviso and
I mean, don't they evade in response to IOCs etc too?
1 reply 0 retweets 0 likes -
Replying to @_ta0 @MalwareTechBlog and
Not really. they don't know for sure how we got the IOCs, so how can they change?
1 reply 0 retweets 1 like -
Replying to @lazyactivist192 @MalwareTechBlog and
I mean, they're not idiots - I'm sure they can work out how we found out things like the directories and traffic patterns we identify, or even just how to pack malware slightly differently. This just seems awfully cyclical as a battle
1 reply 0 retweets 1 like -
Replying to @_ta0 @MalwareTechBlog and
Well there are several ways to gain all of those things. Maybe we just ran the malware and watched wireshark for network connections. Maybe we ran Inetsim in the background. Plus, we limit what we publish, so that they can't gain much from the IOCs, but we can still help people
1 reply 0 retweets 0 likes -
Replying to @lazyactivist192 @_ta0 and
In this thread it’s pretty well described what data is gained from automated tools, in fairness
1 reply 0 retweets 1 like -
Replying to @GossiTheDog @_ta0 and
The only thing truly automated is the binary collection. Up until recently, IP IOCs and URLs were near manual extraction. URLs especially were manual extraction.
1 reply 0 retweets 0 likes -
Replying to @lazyactivist192 @GossiTheDog and
It seems like a good point that they can react to IOCs just as easily as reacting to unpackers though, no? (These are things like hashes, filenames, hostnames, yara sigs, etc that are all easily rotated, right?)
1 reply 0 retweets 0 likes -
Replying to @taviso @GossiTheDog and
And they do. I made a yara rule for document detections that I have to now update because they reacted to it and changed.
1 reply 0 retweets 0 likes -
Replying to @lazyactivist192 @taviso and
We're already forcing them to change with IOCs. At a certain point you're just needlessly showing all the cards in your hand though.
1 reply 0 retweets 0 likes
Yes, but our point is it's not needless, it does have some advantage!
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.