So you'd slow the researcher by a few minutes of extra disassembly time if they needed to be careful - what would the malware authors gain here? A few more potential payments in that timeframe? Same time could be invested in improving the sandbox detection instead of creating fun decoys that will be identified anyway. It was still only version 1, we'll see how v2 evolves.
> Same time could be invested in improving the sandbox detection
It isn't an either-or proposition, and the psychology of the conflict is important. If you force your opponent consider every possible move to be potentially dangerous, you slow them down by more than just the cost of the game with a domain name. And that's valuable.
Googling for "OODA Loop" might be helpful in thinking about this.
One thing I was curious about as I read this was: are there not extenuating circumstances during which the domain registrar can seize a domain? If say, this domain that was unregistered had been registered, is the fact that it's controlled already mean that there's no way to reset it to a new registrar?
viraptor|8 years ago
_jal|8 years ago
It isn't an either-or proposition, and the psychology of the conflict is important. If you force your opponent consider every possible move to be potentially dangerous, you slow them down by more than just the cost of the game with a domain name. And that's valuable.
Googling for "OODA Loop" might be helpful in thinking about this.
dkrich|8 years ago