Have you ever had a look at source code or disassembly? The first is like reading a book where somebody gives the computer instructions. It’s kinda readable (if you learned it) and you can figure out with ‘little’ effort what it’s supposed to do and actually doing.
Disassembly is like opening the maintenance door of a strange machine and you just see millions of moving cogs and wheels. Sure you can figure out what a single cog is for, or how a part of the machine works. But you’d have to trace thousands of movements by hand, sometimes while running. And it takes you days, sometimes weeks to do that. Even with help of quite sophisticated tools.
You’re right there is a difference in effort. That said source code can also be obscure if you are trying to hide something. Behavioural analysis at runtime is effective no matter what, but it typically doesn’t tell anything about code coverage.
Sure. You can try to sneak something in that isn’t obvious. But you can also try to evade behavioural analysis. Not load load your malicious code if you detect you’re running inside a virtual machine. Stop sending packets if some sniffer software is installed, only send data every 2 months, etc… It’s an arms race, either way.
Regarding ‘a difference in effort’: Idk. It’s a pretty big difference. You could also call taking a plane to fly to hawaii for two weeks or swimming there - a difference in effort. And while there might be one or two outliers with obscure code, the majority will be kind of readable. But i agree. You have to be intelligent, pay close attention if somebody tries to sneak something in in plain sight, know how you could be tricked and use multiple tools and approaches simultaneously, to be effective.
Have you ever had a look at source code or disassembly? The first is like reading a book where somebody gives the computer instructions. It’s kinda readable (if you learned it) and you can figure out with ‘little’ effort what it’s supposed to do and actually doing. Disassembly is like opening the maintenance door of a strange machine and you just see millions of moving cogs and wheels. Sure you can figure out what a single cog is for, or how a part of the machine works. But you’d have to trace thousands of movements by hand, sometimes while running. And it takes you days, sometimes weeks to do that. Even with help of quite sophisticated tools.
You’re right there is a difference in effort. That said source code can also be obscure if you are trying to hide something. Behavioural analysis at runtime is effective no matter what, but it typically doesn’t tell anything about code coverage.
Sure. You can try to sneak something in that isn’t obvious. But you can also try to evade behavioural analysis. Not load load your malicious code if you detect you’re running inside a virtual machine. Stop sending packets if some sniffer software is installed, only send data every 2 months, etc… It’s an arms race, either way.
Regarding ‘a difference in effort’: Idk. It’s a pretty big difference. You could also call taking a plane to fly to hawaii for two weeks or swimming there - a difference in effort. And while there might be one or two outliers with obscure code, the majority will be kind of readable. But i agree. You have to be intelligent, pay close attention if somebody tries to sneak something in in plain sight, know how you could be tricked and use multiple tools and approaches simultaneously, to be effective.