Comment by nneonneo

FWIW: I support your position and wish that there was more trust on the internet. I’m happy that some of these old-school forums still have that level of trust.

But, from a technical perspective, I think it’s naive to assume that you can easily spot obfuscation that’s trying to stay hidden. If I understood your analysis model (open in a hex viewer and scroll around), then it is quite trivial to just add a few normal-looking functions that happen do things like manually load socket DLLs and make network requests without the API names being visible.

I could even, say, hide the code or data in a table of opaque filter constants or lookup tables, and it wouldn’t have to be much: you can implement a very dumb PE parser and function loader in a couple dozen lines of C, and an IP address target is just 4 bytes which can be smuggled into anything. Open up a socket, read everything from it into an RWX buffer, jump to it and voila, a programmable backdoor. Make the trigger something random so dynamic analysis doesn’t find it immediately.

The Underhanded C Code Contest demonstrates that even with source you can hide malicious behaviour; how are you going to detect malicious behaviour in a binary that’s trying to evade manual detection?