[HN Gopher] Cyber Scarecrow
___________________________________________________________________
Cyber Scarecrow
Author : toby_tw
Score : 506 points
Date : 2024-06-18 08:08 UTC (14 hours ago)
(HTM) web link (www.cyberscarecrow.com)
(TXT) w3m dump (www.cyberscarecrow.com)
| nubinetwork wrote:
| If you're going to go through the effort of faking
| honeypot/analysis tools, why not just run them?
| ok_dad wrote:
| Costs a lot of cycles to run those for real, and it's not super
| common to get infected with anything, so you're wasting cycles
| for a small chance at avoiding it. This could be better since,
| I assume, it doesn't do a lot of stuff.
| exe34 wrote:
| can you nice them?
| JoosToopit wrote:
| To make them imitate the real activity? To imitate what
| scarecrow does?
| CyberScarecrow wrote:
| Author of scarecrow here. The idea is cyber scarecrow is just
| super easy and light weight for anyone to use. Honeypot tech
| tends to need some good tech understanding to use (eg the cli),
| and can be a bit heavyweight for always running in the
| background of your computer.
| scosman wrote:
| Fun concept.
|
| If the creators read this, I suggest some ways of building trust.
| There's no "about us", no GitHub link, etc. It's a random webpage
| that wants my personal details, and sends me a "exe". The overlap
| of people who understand what this tool does, and people who
| would run that "exe" is pretty small.
| vmfunction wrote:
| It is a cat and mouse game. And security by obscurity practice.
| Not saying it won't work, but if it is open sourced, how long
| before the malware will catch on?
|
| Here is one on github:
|
| https://github.com/NavyTitanium/Fake-Sandbox-Artifacts
| xyzzy123 wrote:
| The really fun part is when malware authors add detections
| for "fake sandbox" and then real sandbox authors get to add
| those indicators.
| vmfunction wrote:
| Look into Windows NT source code that was leaked. The if-
| else/switch statements in there is just another level of
| string matching hell. Seems like software development just
| become "let's jerry rig it to just make it work and forget
| about it." Pretty sure management (without tech clue) have
| something to do behaviours like this.
| 1992spacemovie wrote:
| > Pretty sure management (without tech clue) have
| something to do behaviours like this.
|
| Always the same bullshit with you people here. Could
| never possibly someone built a sub-optimal system -- it
| HAD to be management fucking with our good intentions!
| westmeal wrote:
| Lemme guess you're a manager.
| CyberScarecrow wrote:
| Author of scarecrow here. Our thinking is that if malware
| starts to adapt and check if scarecrow is installed, we are
| doing something right. We can then look to update the app to
| make it more difficult to spot - but its then a cat and mouse
| game.
| hluska wrote:
| You had an answer canned for one part of the query. Why are
| you trying to release security software completely
| anonymously? This is insane - you want an incredible amount
| of trust from users but can't even identify a company.
|
| Simply, if users are as intelligent as you think, they're
| too intelligent to use your product.
| dylan604 wrote:
| If you think that is what _will_ make it a cat and mouse
| game instead of understanding it has been a cat and mouse
| game since the beginning of time, then you 're not
| compelling me into thinking you're very experienced in this
| space.
| boxed wrote:
| If windows would have this built in, then it would make
| malware authors job much more difficult. I like that.
| self_awareness wrote:
| Some malware will catch on, some will not. It's a cost vs
| profit problem. Statistically, this will always decrease the
| number of possible malware samples that can be installed on
| the machine, but by what margin? Impossible to say.
| port19 wrote:
| I'd be willing to bet good money that 99% of malware authors
| won't adapt, since 99% (more like 99.999%) of the billions of
| worldwide windows users will not have this installed.
|
| For the cat to care about the mouse it needs to at least be a
| good appetizer.
| ferfumarma wrote:
| I think this is a same thing as betting on your own
| failure: "not enough people will use this for it to be an
| important consideration for hackers".
| Sebb767 wrote:
| I've worked in companies with horrendous security, where
| someone with just a bit of SQL injection experience could
| have easily carried out the data. Yet, since this was a
| custom in-house application and your off-the-shelve-
| scanners did not work, this never happened; the only
| times the servers were hacked was when the company
| decided to host an (obviously never updated)
| grandfathered Joomla instance for a customer.
|
| But even more simply, just setting your SSH port to
| something >10000 is enough to get away with a very
| mediocre password. It's mostly really not about being a
| hard target, not being the easiest one is likely quite
| sufficient :)
| giobox wrote:
| > But even more simply, just setting your SSH port to
| something >10000 is enough to get away with a very
| mediocre password.
|
| Given how easy and free tools like Wireguard are to setup
| now (thanks Tailscale!), I really don't understand why
| folks feel the need to map SSH access to a publicly
| exposed port at all anymore for the most part, even for
| throw away side projects.
| dylan604 wrote:
| If I were to run a Windows computer, I wouldn't care what
| 99.999% of other people didn't do to make their computer
| safe. If it were something that I could do, then that's
| good enough for me. However, the best thing one can do to
| protect themselves from Windows malware is to _not_ use
| Windows. This is the path I 've chosen for myself
| RajT88 wrote:
| Not just that - it only works on smart malware.
|
| There is plenty of dumb malware.
|
| Security folks seem to get overly focused at times on the
| most sophisticated attackers and forget about the unwashed
| hordes.
| linsomniac wrote:
| It's not a cat an mouse game; it's a diver and shark game. In
| SCUBA training we joked that you had the "buddy system" where
| you always dive in pairs, because that way if you encounter a
| shark you don't have to outswim the shark, you only have to
| outswim your buddy.
|
| A low-effort activity that makes you not be the low-hanging
| fruit can often be worth it. For example, back in the '90s I
| moved my SSH port from 22 to ... not telling you! It's pretty
| easy to scan for SSH servers on alternate ports, but
| basically none of the worms do that.
| HPsquared wrote:
| A lot of security stuff is a bit ironic like that. "Give this
| antivirus software super-root access to your machine".. it
| depends on that software being trustworthy.
| CyberScarecrow wrote:
| Author of cyber scarecrow here. Thank you for your feedback,
| and you are 100% right. We also dont have a code signing
| certificate yet either, they are expensive for windows.
| Smartscreen also triggers when you install it. Id be weary of
| installing it myself as well, especially considering it runs as
| admin, to be able to create the fake indicators.
|
| I have just added a bit of info about us on the website. I'm
| not sure what else we can do really. Its a trust thing, same
| with any software and AV vendors.
| Z7YCx5ieof4Std wrote:
| Is it possible to fake being from Russia. I heard some
| malware won't install on computers from Russia or with the
| Russian language as primary language
| CyberScarecrow wrote:
| Great idea. Looking at installing an additional keyboard or
| language with out it being anoying to the user is next on
| the feature list.
| llama_drama wrote:
| This might be not a good idea. There are some reports of
| malware (npm packages, iirc) specifically targeting
| russian computers since the invasion
| n2d4 wrote:
| This can have the opposite effect too:
| https://arstechnica.com/information-
| technology/2022/03/sabot...
| kozak wrote:
| And be targeted by cyberwarfare from the first-world side.
| DougN7 wrote:
| Or has the Russian keyboard installed, even if not used
| IIRC.
| whaleofatw2022 wrote:
| Russia has serious penalties for hacking their citizens.
|
| Not for hacking non citizens
| kiney wrote:
| Not very convincing tbh. Theres's no source code and no real
| name or company on the website...
| efilife wrote:
| It ceases to be a trust thing once you open source the code
| wongarsu wrote:
| In a world where everybody builds from source or downloads
| from a trusted build service
| shadowgovt wrote:
| ... and trusts their entire toolchain hasn't been
| compromised.
| beeboobaa3 wrote:
| github link? if it's not open source it's dead on arrival
| AnthonyMouse wrote:
| > We also dont have a code signing certificate yet either,
| they are expensive for windows.
|
| When someone is offering you a certificate and the only thing
| you have to do in order to get it is pay them a significant
| amount of money, that's a major red flag that it's either a
| scam or you're being extorted. Or both. In any case you
| should not pay them and neither should anyone else.
| DougN7 wrote:
| Besides paying money you also go through a (pretty
| simplistic) audit. It's about the only way we have to know
| who published some code, which is important. If you can
| come up with a better way you should implement it and we'll
| all follow.
|
| As a side note, I've been trying to figure out how to get
| an EV code signing cert that isn't tied to me (want to make
| a tool Microsoft won't like and don't want retaliation to
| hurt my business) but I haven't come up with a way to do it
| - which is a good thing I suppose.
| hunter2_ wrote:
| Can you have someone else go through the process of
| getting it, like a Craigslist rando to whom you pay cash?
| wongarsu wrote:
| If said Craigslist rando likes getting police visits and
| potentially being criminally liable for helping you
| commit a felony ...
|
| All code signing promises to give you the name of a real
| person or company that signed the binary. From there it's
| the end user's responsibility to decide if they trust
| that entity.
|
| In practice the threat of the justice system makes any
| signed executable unlikely to be malicious. But that
| doesn't mean you have to uncritically trust a binary
| signed by Joe Hobo
| newzisforsukas wrote:
| > In practice the threat of the justice system makes any
| signed executable unlikely to be malicious.
|
| What threats are those? Where are all the people going to
| jail for falsely signed software? The stuxnet authors
| seem to be in the wind.
| wongarsu wrote:
| The threat is that if you sign malware with your name you
| will be quickly connected with said malware. If you don't
| live in a country that turns a blind eye to cyber crime
| that is a quick ticket to jail.
|
| Of course people stealing other people's signing keys is
| an issue. But EV code signing certificates are pretty
| well protected (requiring either a hardware dongle or
| 2FA). It's not impossible for a highly sophisticated
| attacker, but it's a pretty high bar.
| firesteelrain wrote:
| There's a reason it costs money and it's because the CAs
| have to undergo costly audits. Microsoft publishes a list
| of trusted CAs:
|
| https://ccadb.my.salesforce-
| sites.com/microsoft/IncludedCACe...
| a1o wrote:
| This looks like a random website and not a Microsoft
| website. How could I trust such list?
| firesteelrain wrote:
| Because it came from this site:
| https://learn.microsoft.com/en-us/security/trusted-
| root/part...
|
| I used Google to search for "list of microsoft trusted
| CA".
| firesteelrain wrote:
| Looks like people have no experience with CA audits or
| security controls
| hluska wrote:
| There's an audit to go through where you (sort of) prove
| who you are. The system isn't great, but if you can come up
| with something better there's a lot of space to make
| software more secure for people.
| yamakadi wrote:
| I'm sure it's closed source for the eventual plans to
| monetize it, but what's the real difference to something like
| https://github.com/NavyTitanium/Fake-Sandbox-Artifacts and
| why can't you at least name yourselves?
|
| Not many software promises to fend off attackers, asks for an
| email address before download, and creates a bunch of
| processes using a closed source dll the existence of which
| can easily be checked.
|
| Then again, not many malware targeting consumers at random
| check for security software. You are more likely to see a
| malware stop working if you fake the amount of ram and cpu
| and your network driver vendor than if you have CrowdStrike,
| etc. running.
| mistercheph wrote:
| I am pretty sure this is just malware being upvoted with
| sockpuppet accounts, I'm surprised it hasn't been flagged.
| twixfel wrote:
| There are things that you can do that make you seem
| trustworthy, and you've done none of them.
| hyperific wrote:
| Something that would have built trust with me that I didn't
| find on the site was any mention of success rate. Surely
| CyberScarecrow has been tested against known malware to see
| if the process successfully thwarts an attack.
| px43 wrote:
| Obviously this should be an open source tool that people can
| build for themselves. If you want to sell premium services or
| upgrades for it later, you need to have an open/free tier as
| well.
|
| Also are you aware of the (very awesome) EDR evasion toolkit
| called scarecrow? Naming stuff is hard, I get that, but this
| collision is a bit much IMO.
|
| https://github.com/Tylous/ScareCrow
| eganist wrote:
| It's a neat concept, although I imagine this'll be a cat and
| mouse endeavor that escalates _very_ quickly. So, a
| suggestion - apply to the Open Technology Fund 's Rapid
| Response Fund. I'd probably request the following in your
| position:
|
| * code signing certificate funding
|
| * consulting/assessment to harden the application or concept
| itself as well as to make it more robust (they'll probably
| route through Cure53)
|
| * consulting/engineering to solve for the "malware detects
| this executable and decides that the other indicators can be
| ignored" problem, or consulting more generally on how to do
| this in a way that's more resilient.
|
| If you wanted to fund this in some way without necessarily
| doing the typical founder slog, might make sense to 501c3 in
| the US and then get funded by or license this to security
| tooling manufacturers so that it can be embedded into
| security tools, or to research the model with funding from
| across the security industry so that the allergic reaction by
| malware groups to security tooling can be exploited more
| systemically.
|
| I imagine the final state of this effort might be that
| security companies could be willing to license decoy versions
| of their toolkits to everyone that are bitwise identical to
| actual running versions but then activate production
| functionality with the right key.
| sangnoir wrote:
| > consulting/engineering to solve for the "malware detects
| this executable and decides that the other indicators can
| be ignored" problem, or consulting more generally on how to
| do this in a way that's more resilient.
|
| This would be a boon for security folk who analyze/reverse
| malware: they can add/simulate this tool in their VMs to
| ensure the malware being analyzed doesn't deactivate
| itself!
| CodeWriter23 wrote:
| > decoy versions of their toolkits to everyone that are
| bitwise identical to actual running versions but then
| activate production functionality with the right key
|
| I kinda think this functionality could be subverted into a
| kill switch for legit-licensed installs simply by altering
| the key.
| eganist wrote:
| I mean, the existing licensing mechanisms can be
| similarly abused.
| rft wrote:
| Concerning code signing: Azure has a somewhat new offering
| that allows you to sign code for Windows (SmartScreen
| compatible) without having an EV cert. It is called "Trusted
| Signing" [1], non-marketing docs [2]. The major gotcha is
| that currently you need to have a company or similar entity 3
| years or older to get public trust. I tried it with a company
| younger than 3 years and was denied. You might have a company
| that fits that criteria or you might get lucky.
|
| The major upside is the pricing: currently "free" [3] during
| testing, later about 10 USD/month. As there doesn't seem to
| be a revocation mechanism based on some docs I read, signed
| binaries might be valid even after a canceled subscription.
|
| [1] https://azure.microsoft.com/en-us/products/trusted-
| signing
|
| [2] https://learn.microsoft.com/en-us/azure/trusted-
| signing/quic...
|
| [3] You need a CC and they will likely charge you at some
| point. Also I had to use some kind of business Azure/MS 365
| account which costs about 5 USD/month. Not sure about the
| exact lingo, not an Azure/MS expert. The docs in [2] was
| enough for me to get through the process.
| Tepix wrote:
| So $10+$5 per month versus $195 per year?
|
| That's not a big discount.
| jagged-chisel wrote:
| 64% is indeed a hefty discount
| housebear wrote:
| Where is that additional info? It just says you're a group of
| security researchers, but there are no names, no verifiable
| credentials, nothing. You haven't really added any info that
| would contribute to any real trust.
| notreallyauser wrote:
| You're collecting personal info and claiming to be in the UK:
| identifying the data controller would be a start, both for
| building trust and complying with GDPR.
| peter_l_downs wrote:
| One more thing you could do is put the real name of any human
| being with any track record of professionalism, anywhere on
| the website. Currently you're:
|
| - commenting under a pseudonymous profile
|
| - asking for emails by saying "please email me. contact at
| cyberscarecrow.com"
|
| - describing yourself in your FAQ entry for "Who are you?" by
| writing "We are cyber security researchers, living in the UK.
| We built cyber scarecrow to run on our own computers and
| decided to share it for others to use it too."
|
| I frequently use pseudonymous profiles for various things but
| they are NOT a good way to establish trust.
| kazinator wrote:
| > _It's a random webpage that wants my personal details, and
| sends me a "exe"._
|
| No different from MacAffee, Trend Micro, Symantec. Oh, but
| those are brand names you can trust, like Coca-Cola and
| Kellog's Corn Flakes.
| diegolas wrote:
| well... yes, that's what trust means
| Brian_K_White wrote:
| You can't spot the super subtle difference between a name
| with a rep to protect and a no-name?
| digging wrote:
| Besides the obvious points made by others, those are odd
| choices. I don't trust any of those brands.
| michaelmior wrote:
| > The overlap of people who understand what this tool does, and
| people who would run that "exe" is pretty small.
|
| Unfortunately (at least outside of HN) "people who understand
| what this tool does" probably isn't a subset of "people who
| would run that "exe"."
| tgv wrote:
| Isn't the risk then that they'll first start scanning for
| "Scarecrow", or is that hidden somehow?
|
| Also somewhat surprised the source isn't available. That makes
| trusting it harder, especially to the people it's aimed at.
| jstanley wrote:
| Well then you just need to put scarecrow on your honeypot
| boxes.
| jabroni_salad wrote:
| ah, so I shall use scarecrow in my analysis machines since the
| malware will think I'm just pretending to examine it :)
|
| If you start down this path you will end up in mindgame hell.
| omeid2 wrote:
| When is Scarecrow Advanced++ with NextGen Anti-Detection and
| Cloaking will be released?
|
| Jokes aside, this is a temporary fix at best, a waste of
| resources and impression of safety at worst.
| xarope wrote:
| Scarecrow Cloud Native AI with Nextgen Quantum Crypto XR ++
|
| (bingo?)
| CyberScarecrow wrote:
| Author of scarecrow here. Were working on an LLM and a
| blockchain first ;-) (joke)
| shoo wrote:
| ssshhhhh, not so loud, they'll hear you and add scarecrows to
| the checklist of mandatory runtime security requirements for
| production services
| helsinkiandrew wrote:
| I would assume there would be a small intersection of people that
| would download and install a windows program from an unknown web
| page and those that are worried about malware.
|
| But perhaps I'm wrong
| deno wrote:
| I know people /plural/ that will happily download cracked
| antivirus software from a torrent site.
| pbhjpbhj wrote:
| Agree, you should get yourself backdoored by a trustworthy
| company like Sony. /s
| hobs wrote:
| That made sense before cryptocurrency, not after.
| px43 wrote:
| Many torrent sites have stronger reputation vetting than
| Microsoft code signing certs.
| astrodust wrote:
| I mean you can look at the comments and check the vibe.
| CyberScarecrow wrote:
| Author of cyber scarecrow here. You are right, its a trust
| thing. Completly understand if people wouldnt want to install
| it and thats fine. It's the same for any software really. We
| just havent built up any confidence or trust like a big
| established company will have.
| peddling-brink wrote:
| But why not make it open source? Why not identify who you are
| as humans?
|
| There are ways to establish trust, you aren't doing any of
| them.
| kaashif wrote:
| At this point, the simplest explanation is that it actually
| is malware. A more credible explanation than security
| researchers making something that looks this much like
| malware, but actually isn't.
| 1oooqooq wrote:
| because they know how to sell software. cloused source. for
| windows. things gov mandate allows plenty of budget. etc.
| seabass-labrax wrote:
| Even the WHOIS response gives "Privacy service provided by
| Withheld for Privacy ehf" under the contact field. The
| developers claim to be living in the UK, but don't provide
| any legal identity - and it's not hard; you don't even need
| to be a British resident to start a shell company in
| Britain.
| iforgotpassword wrote:
| Narrator: and so the arms race continues.
|
| I guess if this gets enough attention, malware will just add more
| sophisticated checks and not just look at the exe name.
|
| But on that note, I wondered the same thing at my last workplace
| where we'd only run windows in virtual machines. Sometimes these
| were quite outdated regarding system and browser updates, and
| some non-tech staff used them to browse random websites. They
| were never hit by any crypto malware and whatnot, which surprised
| me a lot at first, but at some point I realized the first thing
| you do as even a halfway decent malware author is checking
| whether you run in a virtualized environment.
| curtisblaine wrote:
| > I guess if this gets enough attention, malware will just add
| more sophisticated checks and not just look at the exe name.
|
| But more sophisticated detection means bigger payload (making
| the malware easier to detect) and more complexity (making the
| malware harder to make / maintain), so mission accomplished.
| saagarjha wrote:
| Not by much. Probably less effort than you're putting in
| trying to avoid the malware, so it's a net loss.
| xiphias2 wrote:
| The more scarecrow is installed, the easier it gets for
| real security researchers to hide from these checks and
| detect viruses. So actually the dynamic helps security
| research.
| saagarjha wrote:
| That's not how this works.
| oefrha wrote:
| "Sophisticated" detection can be as simple as checking rss
| and pcpu, the bullshit decoy processes probably aren't
| wasting a lot of CPU and RAM, otherwise might as well run the
| real things; if they are, well, just avoid, who cares. So no,
| it's not going to meaningfully complicate anything.
| curtisblaine wrote:
| Wouldn't that be more fragile though? CPU usage is not
| constant in time, so if - again - you're not sophisticated
| enough, you get more false negatives / positives, depending
| on which side of the heuristic you err.
| oefrha wrote:
| This is only useful for dragnet malware targeting the
| masses, where false positives/negatives have low impact
| to begin with. High value targets can run the real
| programs if this is proven to have any effect -- the
| average corporate IT can approve some more bloat for
| security, no problem. Also, you take a sample.
| GordonS wrote:
| Nope, just check the process executable's digital signature -
| pretty simple.
| fancythat wrote:
| This works, I can confirm. Majority of malware threat running
| in a VM as a sign of researcher doing the malware analysis.
|
| I am recommending doing this for over 10 years now.
| mdip wrote:
| That's where I wonder about a tool like this interfering with
| legitimate software.
|
| For example, I believe the anti-cheat software used by games
| like Fortnite looks for similar things -- my understanding is
| that it, too, will refuse to start when it is executing in a
| VM[0]. As a teenager (90s), I remember several
| applications/games refusing to start when I'd attached a
| tracing process to them. They did this to stop exactly what I
| was doing: trying to figure out how to defeat the software
| licensing code. I haven't had a need to do that since the
| turn of the century but I'd put $10 on that still being a
| thing.
|
| So you end up with a "false positive", and like anti-virus
| software, it results in "denial of service." But does anti-
| virus's solution of "white list it" apply here? At least with
| their specific implementation, it's "on or off", but I wonder
| if it's even possible to alter the application in a way that
| could "white list a process so it doesn't see the 'malware
| defeat tricks' this exposes." If not, you'd just have to
| "turn off protection" when you were using that program. That
| might not be practical depending on the program. It's also
| not likely the vendor of that program will care that "an
| application which pretends it's doing things we don't like"
| breaks their application unless it represents a lot of their
| install base.
|
| [0] I looked into it a few years ago b/c I run Tumbleweed and
| it's a game the kids enjoy (I'm not a huge fan but my gaming
| days have been behind me for a while, now) ... I had hoped to
| be able to expose my GPU to the VM enough to be able to play
| it but didn't bother trying after reading others'
| experiences.
| fancythat wrote:
| You are right, some games, especially multiplayer ones will
| refuse to work in the VM to prevent cheating, but this is,
| of course, the business decision on their side. You can
| always construct the software in such a way that when it
| detects something suspicious on the system it ceases to
| function: some copy protections looked up for change in the
| network card hardware id as developers presumed it is
| highly unlikely someone will change network interface, but
| that stopped to be common, when people started using on-
| board interfaces that change with every motherboard change.
|
| There is also a difference when using commercial stuff such
| as vmware instead of qemu or virtualbox as open source is
| more suitable to be tailored to the specific thing, in this
| case, cheating.
|
| In the end, this approach works well for slowing done
| malware as there is less risk for normal software to allow
| working inside of vm in contrast to malware that should be
| coded to be extra paranoid in order to avoid as many tar
| pits as possible.
| hurutparittya wrote:
| What do you mean by 'legitimate software' exactly? If you
| described what a modern anti-cheat solution does to someone
| without telling them what it is, they'd automatically call
| it malware. The similarity really is uncanny. It almost
| feels like the difference between them is more of a
| technicality.
| Dwedit wrote:
| Will this cause actual code signature checks to tell if the EXE
| running is fake or not?
| Copenjin wrote:
| Very nice and well executed idea, but I think that in many cases
| this could be overestimating the competence of the attacker.
| jowea wrote:
| Should make it look like you're Russian too.
| xiaodai wrote:
| not surprised if this is the trojan horse
| webprofusion wrote:
| Next you'll be suggesting that some AV vendors have been known
| to sponsor development of new viruses and malware.
| ttyyzz wrote:
| I also wouldn't download this in 1000 years with no
| additional information and sourcecode / github etc...
| oleg_antonyan wrote:
| To check if your credit card is in scammers' database, please
| enter card number and cvv
| pogue wrote:
| Sounds like a very interesting concept. I'd like to see someone
| actually test this though.
|
| Try running this on a Windows PC with Windows Defender off & just
| Scarecrow running. You could use the MaleX test kit [1] or a set
| of malware such as the Zoo collection [2] or something more
| current. I'd be very interested to see how many malware
| executables stop half way through their installation after seeing
| a few bogus registry entries/background programs running. I'm not
| trying to imply it's worthless, but it needs some actual "real
| world" test results.
|
| [1] https://github.com/Mayachitra-Inc/MaleX [2]
| https://github.com/ytisf/theZoo
| CyberScarecrow wrote:
| Author of scarecrow here. Sweet idea, thankyou for sharing.
| What i would really like to do, is have some sort of stats in
| the app, that shows if it has 'scared' away any malware. But im
| not sure how to do that, and work out what other processes on
| the machine have exited because it saw some cyber scarecrow
| indicators in the systems process listing.
| pogue wrote:
| I would assume with a minimalist program like yours, it
| wouldn't have the capability to detect whether anything
| malicious was running on the system. That kind of thing would
| require some more advanced trip wires that would notice when
| certain things were triggered when they shouldn't have been
| or a full blown AV detection engine.
|
| I suppose it could work like Sysinternals Process
| Explorer/Autoruns/etc & submit running hashes to
| Virustotal.com or other databases, but there's always the
| likelihood of false positives with that.
|
| If you search Github for "malware samples" There are loads of
| them. Vx Underground also has a large collection [1]. So, I
| would go through there & look for commonalities to try and
| find what malware often tries to trigger on startup.
|
| I'll just end with this example of an interesting form of a
| trip wire I've seen in use on Windows PCs: ZoneAlarm makes an
| anti-ransomwear tool I can't think of the name of. It placed
| hidden files & folders in every directory on the hard drive.
| It would then monitor if anything tried to access it - as
| ransomwear would attempt to encrypt it - and force kill all
| running programs in an attempt to shut down the malware
| before it could encrypt the entire HDD.
|
| [1] https://vx-underground.org/Archive/Collections
| webprofusion wrote:
| Source code or it didn't happen.
| bendews wrote:
| Lol, this website is registered to someone in Iceland, despite
| the assurance that it is a "security researcher living in the
| UK". I'm sure the results from this experiment will make a cool
| blog post about pwning tech savvy folks.
| CyberScarecrow wrote:
| That could be the hosting, the website is running on PaaS -
| https://vercel.com
| razakel wrote:
| That's the WHOIS privacy service enabled by default on .com
| domains registered through Namecheap.
| bendews wrote:
| Hmm my Namecheap domains keep the location details even with
| WHOIS privacy enabled. To be fair they are 7+ years old so
| maybe something has changed in that time?
| popcalc wrote:
| You can still apologize by editing your parent comment.
| Humility is a gift.
| hluska wrote:
| So you don't actually know what you're doing but still feel
| fit to rip on op for it? "Lol" indeed...
| puppycodes wrote:
| i'm confused about the tradeoff of not running the software that
| your pretending to be running? Most AV definitly feels like
| malware itself so maybe thats your point? But it would probably
| be better to run good software than fake bad software?
| JoosToopit wrote:
| But there is no good software for defense. They either
| introduce obstacles while being barely useful or are useful,
| introduce obstacles for you and are proprietary and thus are
| malicious by design.
| ale42 wrote:
| Like keeping Process Monitor open all the time? Not very
| convenient, especially for the average user.
| tazjin wrote:
| Cat, meet mouse.
| dogben wrote:
| A simple magic is to set system language and locale to Russian.
| Etheryte wrote:
| Yes, but then your system is in Russian which is pretty much
| the same as having malware.
| Epskampie wrote:
| Yes very simple! Not a problem whatsoever with that. ia ne
| govoriu po-russki
| sunaookami wrote:
| A simple magic is using an operating system that is not full of
| security holes by an incompetent vendor.
| mschuster91 wrote:
| As much as I'd love to see something like this everywhere, the
| problem is it's useless for everyone who loves to play online
| games or watch DRM-encumbered content, so the majority of the
| population... because DRM, anticheat and malware all fear the
| same set of tools/indicators.
| CyberScarecrow wrote:
| Author of scarecrow here. Very good point, i hadnt thought
| about that.
| self_awareness wrote:
| Solution: temporary "game mode" that disables most
| protections that can impact DRM, or a custom rule engine that
| disables protections if some application is detected to be
| running (e.g. fortnite.exe or something), but this second
| method should be done manually by the user.
| marcodiego wrote:
| > everyone who loves to play online games or watch DRM-
| encumbered content, so the majority of the population...
|
| It is sad to hear that. In my view DRM = malware.
| mrjin wrote:
| I'm wondering since when software can be scared?
| Wowfunhappy wrote:
| Software _authors_ can be scared and their timidity can be
| reflected in the behavior of their software.
| swarnie wrote:
| I wonder if you can make malware think your language and keyboard
| layout is Russian without having to endure the setup, that's been
| known to deter some nasty stuff.
| Retr0id wrote:
| > When hackers install malicious software on a compromised
| victim, they first check to make sure its safe for them to run.
| They don't want to get caught and avoid computers that have
| security analysis [...] tools on them.
|
| Game anti-cheat code makes similar checks (arguably it _is_
| malware, but that 's besides the point). So, running this _might_
| put you at risk of getting banned from your favourite game.
| mrweasel wrote:
| Get a PTR record for your IP, let it resolve to
| honeypot087.win.internal.security.example.com, that will make
| your IP less interesting... To some people
| thrdbndndn wrote:
| One of the reference in "How does it work" [1] mentioned that
| some hackers will not mess with computers with Russian keyboard,
| so you can add one to reduce your chance of getting hacked.
|
| Hilarious aside, it would only work if you don't actually use
| multiple keyboard -- otherwise an additional one would make
| switching between multiple keyboards very annoying [*].
|
| It also mentions some other changes like adding RU keywords to
| your registry. Again, these measures would have many side effects
| since lots of software actually use these registry entries for
| legit reasons. So I don't know if this Cyber Scarecrow product
| would have this problem, since it does modify registry, too.
|
| 1: https://krebsonsecurity.com/2021/05/try-this-one-weird-
| trick...
|
| *: A little rant: as someone who use three virtual keyboards
| (English, Chinese, Japanese), it is already a pain in ass to
| switch them since MS does not follow "last used" switching order
| (like alt+tab). Instead, it just switches in one direction.
| Sebb767 wrote:
| > A little rant: as someone who use three virtual keyboards
| (English, Chinese, Japanese), it is already a pain in ass to
| switch them since MS does not follow "last used" switching
| order (like alt+tab). Instead, it just switches in one
| direction.
|
| Actually, I much prefer this order. Depending on what keyboard
| I currently use, I know exactly how often to switch instead of
| having to remember what I used previously. In fact, I don't
| even like this order when Alt+Tab'ing, it makes switching
| between more than two windows pretty inconsistent (yes, I know
| Windows+Number works, too).
| thrdbndndn wrote:
| Yeah, I get your point, it's indeed a trade off.
|
| Having "last used" order makes quickly switch between two
| windows very easy, which is something I _personally_ use
| more. It 's easier than pressing alt+tab/shift+alt+tab
| alternately.
|
| To switch to the third window, you can use alt+tab+tab.
| kazinator wrote:
| > _MS does not follow "last used" switching order_
|
| Furthermore:
|
| 1. The Shift+Alt chord is obnoxiously unreliable, sensitive to
| which key comes down first, or something.
|
| 2. Japanese is always comeing up in A mode even though you last
| had it in a mode.
|
| 3. Bad performance: sllllow language switching at times: you
| hit some keyboard sequence for changing languages or modes
| within a language, and nothing happens. This interacts with
| (2): did we hit an unreliable chord? Or is it just slow to
| respond?
| thrdbndndn wrote:
| I have to use a 3rd party Japanese IME precisely because of
| 2. No idea why they haven't add an option for it to be
| default to a mode.
|
| Also, in ANY modern Chinese IME (Microsoft or 3rd party),
| switching between English/Zhong Wen mode is simply pressing
| shift once. You still have to use alt+` for that in JP IME,
| which I find unbearable.
| poincaredisk wrote:
| Small correction: not "some hackers", but some malware families
| (the difference being that the check is automatic). And
| honestly, not "some" but "most of them" :).
|
| Though I often see this implemented by calling
| GetKeyboardLayout, so this will only work if you actually use
| the Russian (or neighbourly) layout when malware detonation
| happens.
| efilife wrote:
| Genius! Weird nobody invented this before
| efilife wrote:
| Ok, but why isn't this open source? If it only creates some
| processes that don't do anything, there's nothing to hide, really
| tr33house wrote:
| this +100 I can't just let some random exe run on my machine
| with nothing but claims from the author.
|
| In my head, I'm also wondering why a botnet wouldn't just want
| to take over such a machine because they know for sure that
| it's a scarecrow. But security by obscurity is no way to
| instill trust here
| rantee wrote:
| Claims by an unidentified author(s) replying to comments with
| a 4-hour old HN account.. How did this make it to the front
| page other than the catchy name?
| stefanve wrote:
| I get the idea but the "science" is based on reports it doesn't
| look like this has been tested with actual malware. Would be
| interesting to know how well it works
|
| Also make it OSS and ask for donations. Not sure what your
| feature earning model is but is seems easy to replicate and as
| point out several times right now it asked to blindly thrust you
| salzig wrote:
| Next Iteration: malware checks for scarecrow and starts anyways
| ^^
| khaki54 wrote:
| Kind of like instead of buying $10k ADT home security system,
| just buy the sign for $20 and put it in the front yard.
| vntok wrote:
| Good analogy, except putting up the sign actually works because
| there isn't any other layer around it... whereas putting up
| IOCs onto your Microsoft Windows OS will trigger Windows
| Defender, any SIEM, and generally speaking most security-
| oriented software worth its salt.
| mafriese wrote:
| I don't understand why the software is built how it's built. Why
| would you want to implement licensing in the future for a
| software product that only creates fake processes and registry
| keys from a list: https://pastebin.com/JVZy4U5i . The limitation
| to 3 processes and license dialog make me feel uncomfortable
| using the software. All the processes are 14.1MB in size (and
| basically the scarecrow_process.dll -
| https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...).
| I just don't understand why you create such a complex piece of
| software if you can just use a Powershell script that does
| exactly the same using less resources. The science behind it only
| kinda makes sense. There is some malware that is using techniques
| to check if there are those processes are running but by no means
| is this a good way to keep you protected. Most common malware
| like credential stealers (redline, vidar, blahblah) don't care
| about that and they are by far the most common type of malware
| deployed. Even ransomware like Lockbit doesn't care, even if it's
| attached to a debugger. I think this mostly creates a false sense
| of security and if you plan to grow a business out of this, it
| would probably only take hours until there would be an open
| source option available. Don't get me wrong - I like the idea of
| creating new ways of defending malware, what I don't like is the
| way you try to "sell" it.
| kazinator wrote:
| They know that if this idea catches on, a dozen completely free
| imitations will crop up, so ... the time to grab whatever cash
| can be squeezed out of this is now.
| GordonS wrote:
| If something like this catches on, attackers will simply
| start checking the digital signature of the processes, to
| ensure they are genuine.
| umvi wrote:
| McAfee/Norton/etc. could license signed "scarecrow"
| versions of their products for use with something like this
| so that it's impossible for the malware to distinguish a
| scarecrow version of MacAfee from the real thing (and they
| would get a cut/kickback).
|
| I would pay a small amount for a scarecrow version of AV
| software if a) it had zero footprint on my system
| resources, and b) it really did scare away malware that
| checks for such things.
|
| Either way, though, it makes malware more onerous to
| develop since it has to bundle in public keys in order to
| verify running processes are correctly signed.
| jart wrote:
| Are you telling me this thing spawned 50 new processes on your
| computer? Could you zip up all the executable files and
| whatever it installed and upload it somewhere so we can analyze
| the assembly?
| mafriese wrote:
| This "thing" is always spawning 3 processes at the time. The
| processes are always the ones from the virustotal link. I can
| upload the DLL to a file sharing service of your choice if
| you don't have a VT premium license. I can also provide an
| any.run link: https://app.any.run/tasks/bc557b04-5025-46a1-a6
| 83-aad3b29b9a... (installer) https://app.any.run/tasks/e257e7
| f2-7837-4ed1-93c8-5d617d75cc... (zip file containing the
| files). Let me know if you need further info :).
| jart wrote:
| Is there a way for me to curl their executable into my UNIX
| terminal so I can read the assembly? Or does Any Run keep
| the samples to themselves? I know a lot about portable
| executable but very little about these online services.
| mafriese wrote:
| https://github.com/mafriese/scarecrow Can upload any
| files you want there. Direct DL for one of the files: htt
| ps://github.com/mafriese/scarecrow/raw/main/autoruns.exe
| batch12 wrote:
| To your point, I made this a few years ago using powershell. I
| just created a stub .exe using csc on install and renamed it to
| match a similar list of binary names. Maybe I will dig it up...
| batch12 wrote:
| I uploaded it here. I haven't tested it in years though-
| https://github.com/0xDigest/odoshi
| victor22 wrote:
| Because this is a bullshit idea and a bullshit product lol
| wruza wrote:
| Why does malware "stop" if it sees AV? Sounds as if it wanted to
| live, which is absurd. A shady concept overall, cause if you
| occasionally run malware on your pc, it's already over.
|
| Downloading a random exe from a noname site/author to scare
| malware sounds like another crazy security recipe from your
| layman tech friend who installs registry cleaners and toggles
| random settings for "speed up".
| bux93 wrote:
| Take malware that is part of a botnet. Its initial payload is
| not necessarily damaging to the host, but is awaiting
| instructions to e.g. DDOS some future victim.
|
| The authors will want the malware to spread as far and wide as
| it can on e.g. a corporate network. So they need to make a risk
| assessment; if the malware stays on the current computer, is
| the risk of detection (over time, as the AV software gets
| updates) higher than the opportunity to use this host for
| nefarious purposes later?
|
| The list[1] of processes simulated by cyber scarecrow are
| mostly related to being in a virtual machine though. Utilities
| like procmon/regmon might indicate the system is being used by
| a techie. I guess the malware author's assumption is that these
| machines will be better managed and monitored than the
| desktop/laptop systems used by office workers.
|
| [1] https://pastebin.com/JVZy4U5i
| jeroenhd wrote:
| Many pieces of malware are encrypted and obfuscated to
| prevent analysis. Often, they'll detect virtual machines to
| make it harder for people to analyse the malware. Plenty of
| malware hides the juicy bits in a second or third stage
| download that won't trigger if the dropper is loaded inside
| of a VM (or with a debugger attached, etc.).
|
| Similarly, there have also been malware that will deactivate
| itself when it detects signs of the computer being Russian;
| Russia doesn't really care about Russian hackers attacking
| foreign countries (but they'll crack down on malware
| spreading within Russia, when detected) so for Russian
| malware authors (and malware authors pretending to be
| Russian) it's a good idea not to spread to Russian computers.
| This has the funny side effect of simply adding a Russian
| keyboard layout being enough to prevent infection from some
| specific strains of malware.
|
| This is less common among the "download trustedsteam.exe to
| update your whatsapp today" malware and random attack scripts
| and more likely to happen in targeted attacks at specific
| targets.
|
| This tactic probably won't do anything against the kind of
| malware that's in pirated games and drive-by downloads (which
| is probably what most infections are) as I don't think the VM
| evasion tactics are necessary for those. It may help protect
| against the kind of malware human rights activists and
| journalists can face, though. I don't know if I'd trust _this
| particular_ piece of software to do it, but it 'll work in
| theory. I'm sure malware authors will update their code to
| detect this software if this approach ever takes off.
| joshstrange wrote:
| > Why does malware "stop" if it sees AV? Sounds as if it wanted
| to live, which is absurd.
|
| Malware authors add in this feature so that it's harder for
| researchers to figure out how it works. They want to make
| reverse engineering their code more difficult.
|
| I agree with everything else you said.
| crazygringo wrote:
| Does it really make it that much more difficult?
|
| If these were laypeople that would then give up, sure.
|
| But I'm surprised that it's even worth malware authors' time
| to put in these checks. I can't imagine there's even a single
| case of where it stopped malware researchers in the end.
| What, so it takes the researchers a few hours or a couple of
| days longer? Why would malware authors even bother?
|
| (What I _can_ understand is malware that will spread through
| as many types of systems as possible, but only "activate"
| the bad behavior on a specific type of system. But that's
| totally different -- a whitelist related to its intended
| purpose, not a blacklist to avoid security researchers.)
| nic547 wrote:
| It's not about the usual AV software, but about "fake" system
| used to try and detect and analyse malware. AV Vendors and
| malware researcher in general use such honeypots to find
| malware that hasn't been identified yet.
|
| This software seems to fake some idiciators that are used by
| malware to detect wheter they're on a "real system" or a
| honeypot.
| qwery wrote:
| It's not really about "normal" antivirus programs, but tools
| used by security researchers. It's well-known that more
| sophisticated malware often try to avoid scrutiny by not
| running, or masking their intended purpose if the environment
| looks "suspicious".
|
| A paranoid online game like e.g. Test Drive Unlimited, might
| not launch because the OS says it's Windows Server 2008 (ask me
| how I know). A script in a Word document might not deliver its
| payload if there are no "recently opened documents".
|
| The idea with this thing is to make the environment look
| suspicious by making it look like an environment where the
| malware is being deliberately executed in order to study its
| behaviour.
| RockRobotRock wrote:
| Even back in my script kiddy days, 10 years ago, I remember
| RATs and cryptors would all have a kill switch option if it
| detected it was running on a VM.
| makach wrote:
| legit, or best malware install attempt ever? assume all is good
| if you detect the cyberscarecrow process? how can this have a
| long-term effect?
|
| if you have malware probing your processes to decide if it can
| run or not you have a very serious problem regardless of whether
| it decides to run or not, there is an entrance to your systems
| you don't know about.
| sneak wrote:
| > _Scarecrow creates registry entries to make it look like
| security tools are installed on your computer._
|
| Best simple anti-malware technique: don't run Windows.
| forty wrote:
| Arguably it's the second best, after: don't use computers
| forty wrote:
| I guess the indicators used largely overlap with the ones used by
| anti-cheat software, so you probably want to think twice before
| using that on your gaming pc :)
| account42 wrote:
| Or you could just choose to not play games that require you to
| install malware.
| rvnx wrote:
| Once you are banned by the anti-cheat because of false
| positive, this is going to be an easy decision to make
| forty wrote:
| Yes in a way the problem is self resolving :)
| SamuelAdams wrote:
| Another simple trick is to add the Russian or Ukraine virtual
| keyboard to your OS. I'm curious if this tool does this as well.
|
| https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
| SXX wrote:
| Except now its bad idea. Like some malwzre from either country
| can decide to format your drives just for fun.
| marcodiego wrote:
| I call BS. How it works says: "When hackers install malicious
| software on a compromised victim, they first check to make sure
| its safe for them to run."; Download asks e-mail and name; Does
| not seems multiplatform and would never install anything like
| that on my computer in a dream unless it were open source.
| davikr wrote:
| It's very platform-dependent, because for each one there are
| different ways in which a virus checks for markers that it's
| being analysed - for instance, if it's being ran in a VM, it
| might check registry entries, check for Guest-Host drivers or
| whatever, on Windows. Still, I wouldn't trust something like
| this if it asks for PII, isn't open-source and leaves traces
| around on the disk.
| poincaredisk wrote:
| I'm a malware researcher and reverse engineer for a living.
| This is absolutely true, but oversimplified. Focus on
|
| >They don't want to get caught and avoid computers that have
| security analysis or anti-malware tools on them.
|
| Malware doesn't want to run in a sandbox environment (or in
| general when observed), because doing malicious things in the
| AV sandbox is a straight way to get blocked, and leaks C2
| servers and other IoCs immediately. That's why most malware
| families[1] at least try to check if the machine they're
| running on is a sandbox/researcher pc/virtual machine.
|
| I assume this is what this tool does. We joke at work that the
| easiest thing to do to make your windows immune to malware is
| to create a fake service and call it VBoxSVC.
|
| [1] except, usually, ransomware, because ransomware is very
| straightforward and doesn't care about stealth anyway.
| dns_snek wrote:
| While this is a really interesting idea, and assuming that it's
| actually completely safe, the irony is that it looks _exactly_
| what I would expect a trojan to look like - somewhat vague
| promises of security that could be interpreted as snake oil,
| conveniently packaged as an EXE with scant information about who
| 's behind it, what it does, and no way to verify any of it. No
| offense to the authors :)
| mdip wrote:
| Outside of the authorship/open-source fears[0], this is one of
| the more interesting ideas to surface in anti-virus.
|
| Facing reality: anti-malware tooling is inadequate -- so
| inadequate, I haven't found a reason to purchase it for the one
| Windows machine I still have. People say "Defender works well
| enough, now!" and I think that's a pretty adequate way of
| describing it in that anti-malware has an impossible job and that
| is evident by every vendor's failure to succeed at it. So why pay
| for it?
|
| It's _always_ a cat-and-mouse game. This is an interesting
| approach, though, because it could shift the balance a little
| bit. Anti-malware 's biggest problem is successfully identifying
| a threat while minimally interfering with the performance of an
| application. A mess of techniques are used to optimize this but
| when a file has to be scanned, it's expensive. It'd be
| interesting to see if it'd be possible to eliminate some variants
| of malware from on-demand scanning "if this tool defeats the
| malware as effectively", pushing scanning for those variants to
| an asynchronous process that allows the executable to run while
| it is being scanned.
|
| I can see a lot of the problems with this kind of
| optimization[1]: it turns a "layer in the onion" into a
| replacement for an existing function which has more unknowns as
| far as attacks are concerned. Creating the environmental
| components required to "trick the malware" may be more expensive
| than just scanning. White-list scenarios may not be possible: I
| suspect anti-cheat services and potentially legitimate commercial
| software might be affected, as well[2] ... getting them to white-
| list a tool like this won't be easy unless the installed base is
| substantial. I suspect that "hiding the artifacts this tool
| creates to trick malware" from a white-listed processes might be
| impossible.
|
| For at least a brief moment, this might be a useful tool in
| preventing infections from unknown threats. Brief, because -- by
| the author's own admissions (FAQ) -- it will devolve into a cat-
| and-mouse game if the tool is popular enough. There's another
| cat-and-mouse game, though. If this technique isn't resource
| intensive while offering protection somewhere in line with what
| it would take to implement, all of the anti-virus vendors will
| implement it -- including Microsoft. And they will be seen by
| customers as far better equipped to play "cat" or at least "the
| choice you won't get fired over."
|
| And that's where it makes a _whole lot of sense_ to open-source
| the product. It 's a clever idea with a lot of unknowns and a
| very low likelihood of being a business. Unless it's being
| integrated into a larger security suite (same business
| challenges, but you have something of "a full product" as far as
| your customers are concerned), it's only value (outside of purely
| altruistic ones) would be either "popping the tool on the
| author's related business's website" to bring people to a related
| business/service or as a way to promote the author's skill set
| (for consulting/resume reasons). I'm not arrogant enough to say
| there's _no way_ to make money from it, I just can 't see it --
| at least, not one that would make enough money to offset the cost
| of the "cat and mouse" game.
|
| [0] Which, yeah, "I wouldn't run it on my computer" but I give
| the authors enough of the benefit of the doubt that "it's new"
|
| [1] Not the least of which being that I do not author AV software
| so I have nothing to tell me that any of my assumptions about on-
| demand scanning are correct.
|
| [2] It used to be a common practice to make reverse engineering
| more difficult.
| dncornholio wrote:
| This software pings home. Also uses .NET which is complete
| overkill for such a simple app.
|
| Would not recommend installing. It's someone's hobby project that
| runs as administrator.
| neonsunset wrote:
| What would you use instead?
| sim7c00 wrote:
| "Fake Processes. Scarecrow will create a number of background
| processes that don't do anything, but look like security research
| tools. Fake registry entries. Scarecrow creates registry entries
| to make it look like security tools are installed on your
| computer."
|
| I'd be interested to see this tested, there's tons of good
| malware repos out there like vx-underground's collections that
| can be used to test it.
|
| If you dont wanna share the source, somewhat logical. Perhaps run
| a test versus gigabytes of malware samples and let us know which
| ones actually query these process names / values you create and
| disable themselves as a result??
| etrvic wrote:
| I decided to use Bitdefender a few months ago becouse i suspected
| my Mac had malware. I was right, there was a adware in the
| firefox files so it did it's job.
|
| But, my experience with the antivirus was horrible. When i first
| opened the app there were popus everywhere advertising for their
| other products, and the overall ui didn't look trustworthy.
|
| I am no security expert, so I'm asking: is this the best way to
| deal with malware?
| andrei-akopian wrote:
| Not get it in the first place.
|
| Not an expert myself, but I think cleaning up and reinstalling
| your whole OS once in a while probably deals with malware.
| marcodiego wrote:
| https://xkcd.com/272/
| poopcat wrote:
| That is a very fun logo.
| 999900000999 wrote:
| Neat.
|
| But this literally comes off as probably being malware itself.
|
| If your going to ship something like this, it needs to be open
| source preferably with a GitHub pipeline so I can see the full
| build process.
|
| You also run into the elephant repellent problem. The best
| defense to malware will always be regular backups and a
| willingness to wipe your computer if things go wrong.
| bglazer wrote:
| elephant repellent problem? What is that?
|
| This is literally the first occurrence of that string on the
| internet.
| jkingsman wrote:
| Better known as the Elephant Repellant Fallacy -- a claim
| that a preventative is working when, in fact, the thing it
| prevents rarely or never happens anyway.
|
| "Hey you better buy my elephant repellant so you don't get
| attacked!"
|
| 'Okay.'
|
| ...
|
| "So were you attacked?"
|
| 'No, I live in San Francisco and there are no wild
| elephants."
|
| "Well, I guess the repellant is working!"
| dlivingston wrote:
| Also known as the Anti-Tiger Rock:
| https://youtu.be/xSVqLHghLpw?si=fRraLZJ9q_rDR-UV
| burnished wrote:
| I know this as 'Moms cooking drove the vampires away'
| cootsnuck wrote:
| https://chatgpt.com/share/16f27556-5766-4728-8245-9909d18037.
| ..
|
| We need a chatGPT version of LMGTFY...
| mdip wrote:
| Setting aside the concerns with this specific implementation and
| thinking more of "the idea" I think the biggest concern is this
| sort of application causing legitimate software to fail to run[0]
| and how one would "white-list" an application from seeing these
| "fake artifacts designed to trick malware."
|
| The problem is "the fake components" would have to be prevented
| from being detected by legitimate software and the only way I can
| think to do that would be to execute everything in a sandbox that
| is capable of: (a) hiding some contained running processes (the
| fake ones) from the rest of the OS while (b) while allowing the
| process that "sees the fake stuff" to be seen by everything else
| "like any old process."
|
| Applying ACLs (and restricting white-listed processes) might work
| in some cases; might equally just be seen as a permissions
| problem and result in a nonsensical error (because the developers
| never imagined someone would change the permissions on an obvious
| key), or it might be that the "trick" employed is "Adding a
| Russian Keyboard" which _can_ be very disruptive to the user "if
| they use more than one input language" or "is one of those places
| where a program may read from there never expecting to encounter
| an error."
|
| A lot of this seems like it would require use of containerization
| -- docker/docker-like -- for Windows apps. I'm familiar with a
| few offerings here and there, but I've worked with none of them
| and I run Linux more than Windows these days. So my questions
| really boil down to:
|
| Where's Windows containerization at? Would it be possible to run
| an application in a docker or docker-like container with a
| Windows kernel which can have its environment controlled in a
| manner that is more transparent to the application running within
| the container? Is there any other approach which would allow for
| "non-white-listed applications" to run containerized and "see the
| Scarecrow artifacts", while allowing the white-listed
| applications[1] to run outside of the container in a manner that
| hides _some_ of the processes within the container. Can it do all
| of that in a manner that would work if the same "check" were
| repeated immediately after confirming an Elevation dialog[2]?
| from the white-listed application in a manner that couldn't be
| defeated by repeating the same "check" after presenting an
| elevation dialog?
|
| Again, that's assuming "this is a brilliant idea" -- and there's
| some evidence that as a concept, at least, it would help
| (ignoring this particular implementation of the idea), but it
| still suffers from its success, so the extent that it helps/is
| adopted equates to how long any of these techniques aren't
| defeated. And just from the sense I get of the complexities
| required to "implement this in a manner that legitimate won't
| fail, too", I suspect it will be easier to defeat a tool like
| this than it will be to protect against its defeat. In other
| words, the attacker is a healthy young cat chasing a tired old
| mouse.
|
| [0] Anti-cheat being the most obvious, but those are often
| indistinguishable from malware. I'd encountered plenty of
| games/apps in the 90s that refused to run when I ran software to
| trace aspects of their memory interaction. I had some weird
| accounting app that somehow figured out when _my own code_ (well,
| code I mostly borrowed from other implementations) was used for
| the same purpose.
|
| [1] The assumption being that "a legitimate application which
| does these kinds of checks" is also likely to refuse to run
| within a container unless it's _impossible_ to detect the
| container as reliably as everything else (and vendors are
| completely tolerant of false positives if the affected customers
| don 't represent enough in terms of profit, or the solution is
| "don't run that unusual security software when you run ours").
|
| [2] I've seen it enough with Easy Anti-cheat that I just click
| "Yes" like a drone. There was at least one occasion when it
| popped up after I had installed some developer tooling but _not_
| had a game update come down between launches. Because it was a
| huge install, it may just have been that the game detectedI have
| no idea _why_ this happens -- on a few occasions, I had no update
| applied between loads but had installed other software so it
| could have been "to fix something that software broke" but it
| could also have been "to re-evaluate the environment as an
| administrator because something changed enough on the system to
| warrant a re-check that it is still compliant with the rules"
| wizzwizz4 wrote:
| > _Where 's Windows containerization at?_
|
| Doesn't exist. Not even UAC is a reliable security boundary.
| Likely, it will never exist.
|
| > _Is there any other approach which would allow for "non-
| white-listed applications" to run containerized and "see the
| Scarecrow artifacts",_
|
| Sounds a bit like WoW64. It should be easy enough to replicate
| this behaviour with a rootkit. However, the software would
| always be able to peek behind the curtain.
|
| > _In other words, the attacker is a healthy young cat chasing
| a tired old mouse._
|
| I always thought of the attackers as the mice, and anti-malware
| folk as the cats.
| MrVandemar wrote:
| No Linux version?
|
| :-)
| richwater wrote:
| Anyone who downloads this is a moron.
| flerchin wrote:
| Krebs said that some malware checks for a cyrillic keyboard to
| try and geo target outside of the country of operation. This
| seems to be the same type of thing.
|
| https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
| vntok wrote:
| Other malware check for a cyrillic keyboard to try and geo
| target _inside_ of the country of operation.
| m3kw9 wrote:
| Does it really work? Let's see some stats
| moi2388 wrote:
| "It's a trust thing"
|
| Yeah. That won't work for anything security related, I'm afraid.
| mistercheph wrote:
| More likely than not this is malware
| TurkishPoptart wrote:
| I've heard one thing that motivates malware to ignore your
| computer is having a Russian keyboard installed.
| https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
| s1mplicissimus wrote:
| Hahaha it's such a lovely idea! Turning the opponents detection
| against them, I very much dig it!
|
| Here's a caveat though: Attackers will at some point notice
| scarecrows and simply work around them. Now suuure, if you have a
| better lock than your neighbours, that decreases your chances of
| getting broken into, but in the end this is a classic "security
| by obscurity" measure. So if your time and computer/data is
| valuable, I would rather invest in other security measures
| (firewall, awareness training, backups etc.)
| checjsout wrote:
| I wonder if it would trick the compliance department into
| thinking my computer is safe and leave it alone.
| no-dr-onboard wrote:
| Fun concept, but this is security by obscurity. Other heuristics:
|
| - providing fake manifests to hardware drivers commonly
| associated with virtual machines - active process inspector
| handles - presence of any software signed by hexrays (the ini
| file is usually enough)
| bhelkey wrote:
| > Fun concept, but this is security by obscurity.
|
| Malware uses signals to determine if they are running in a VM.
| If we can degrade those signals, they will have to play a cat
| and mouse game trying to avoid VMs.
|
| The less clear it is if a process is running in a VM, the
| easier time security researchers will have testing exploits
| found in the wild.
| usrbinbash wrote:
| Many of the most dangerous threat actors simply don't care about
| getting caught. They are operated, financed and protected by
| nation states, and/or operate from geopolitical locations where
| law enforcement is lacking.
| annoyingnoob wrote:
| Anyone run this through VirusTotal?
| russdill wrote:
| Wow, never ever install this if you plan to play games with cheat
| detection
| otikik wrote:
| Heh.
|
| The arms race continues.
| mistercheph wrote:
| How I pwned hacker news (2024)
| eigenvalue wrote:
| I really don't get why this would be a 71mb installer that takes
| up 113mb when installed. If they are literally just fake
| processes running that have the right names, why couldn't this be
| a 100kb installer?
| nsbk wrote:
| This may very well be the greatest British deception since the
| WWII carrot propaganda. But for malware. Nice!
| lbotos wrote:
| "It's early days, were only in Alpha." -> It's early days, we're
| only in Alpha.
| verandaguy wrote:
| This is a really cool concept! Even if it's difficult to trust it
| as-is (for reasons stated ad nauseam in other comments), this
| might put gas on the fire of a so-far small area of malware
| research, which will be good for the community at large.
|
| It's obviously an arms race when it comes to malware, but this
| could be a significant step forward on the defensive side,
| forcing malware developers to evolve their TTPs.
___________________________________________________________________
(page generated 2024-06-18 23:00 UTC)