←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 2 comments | 18 Jun 24 08:08 UTC | HN request time: 0.434s | source
Show context
pogue ◴[18 Jun 24 08:46 UTC] No.40715432[source]
Sounds like a very interesting concept. I'd like to see someone actually test this though.

Try running this on a Windows PC with Windows Defender off & just Scarecrow running. You could use the MaleX test kit [1] or a set of malware such as the Zoo collection [2] or something more current. I'd be very interested to see how many malware executables stop half way through their installation after seeing a few bogus registry entries/background programs running. I'm not trying to imply it's worthless, but it needs some actual "real world" test results.

[1] https://github.com/Mayachitra-Inc/MaleX [2] https://github.com/ytisf/theZoo

replies(1): >>40715510 #
1. CyberScarecrow ◴[18 Jun 24 09:03 UTC] No.40715510[source]
Author of scarecrow here. Sweet idea, thankyou for sharing. What i would really like to do, is have some sort of stats in the app, that shows if it has 'scared' away any malware. But im not sure how to do that, and work out what other processes on the machine have exited because it saw some cyber scarecrow indicators in the systems process listing.
replies(1): >>40715714 #
2. pogue ◴[18 Jun 24 09:37 UTC] No.40715714[source]
I would assume with a minimalist program like yours, it wouldn't have the capability to detect whether anything malicious was running on the system. That kind of thing would require some more advanced trip wires that would notice when certain things were triggered when they shouldn't have been or a full blown AV detection engine.

I suppose it could work like Sysinternals Process Explorer/Autoruns/etc & submit running hashes to Virustotal.com or other databases, but there's always the likelihood of false positives with that.

If you search Github for "malware samples" There are loads of them. Vx Underground also has a large collection [1]. So, I would go through there & look for commonalities to try and find what malware often tries to trigger on startup.

I'll just end with this example of an interesting form of a trip wire I've seen in use on Windows PCs: ZoneAlarm makes an anti-ransomwear tool I can't think of the name of. It placed hidden files & folders in every directory on the hard drive. It would then monitor if anything tried to access it - as ransomwear would attempt to encrypt it - and force kill all running programs in an attempt to shut down the malware before it could encrypt the entire HDD.

[1] https://vx-underground.org/Archive/Collections