←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 2 comments | 18 Jun 24 08:08 UTC | HN request time: 0.603s | source
Show context
iforgotpassword ◴[18 Jun 24 08:27 UTC] No.40715345[source]
Narrator: and so the arms race continues.

I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.

replies(2): >>40715417 #>>40715526 #
curtisblaine ◴[18 Jun 24 08:43 UTC] No.40715417[source]
> I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.

replies(3): >>40715455 #>>40715544 #>>40722248 #
oefrha ◴[18 Jun 24 09:09 UTC] No.40715544[source]
“Sophisticated” detection can be as simple as checking rss and pcpu, the bullshit decoy processes probably aren’t wasting a lot of CPU and RAM, otherwise might as well run the real things; if they are, well, just avoid, who cares. So no, it’s not going to meaningfully complicate anything.
replies(1): >>40715649 #
1. curtisblaine ◴[18 Jun 24 09:27 UTC] No.40715649[source]
Wouldn't that be more fragile though? CPU usage is not constant in time, so if - again - you're not sophisticated enough, you get more false negatives / positives, depending on which side of the heuristic you err.
replies(1): >>40715755 #
2. oefrha ◴[18 Jun 24 09:45 UTC] No.40715755[source]
This is only useful for dragnet malware targeting the masses, where false positives/negatives have low impact to begin with. High value targets can run the real programs if this is proven to have any effect — the average corporate IT can approve some more bloat for security, no problem. Also, you take a sample.