←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 1 comments | 18 Jun 24 08:08 UTC | HN request time: 0.206s | source
Show context
wruza ◴[18 Jun 24 10:24 UTC] No.40716002[source]
Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd. A shady concept overall, cause if you occasionally run malware on your pc, it’s already over.

Downloading a random exe from a noname site/author to scare malware sounds like another crazy security recipe from your layman tech friend who installs registry cleaners and toggles random settings for “speed up”.

replies(5): >>40716202 #>>40716228 #>>40716249 #>>40716286 #>>40721679 #
1. qwery ◴[18 Jun 24 11:05 UTC] No.40716286[source]
It's not really about "normal" antivirus programs, but tools used by security researchers. It's well-known that more sophisticated malware often try to avoid scrutiny by not running, or masking their intended purpose if the environment looks "suspicious".

A paranoid online game like e.g. Test Drive Unlimited, might not launch because the OS says it's Windows Server 2008 (ask me how I know). A script in a Word document might not deliver its payload if there are no "recently opened documents".

The idea with this thing is to make the environment look suspicious by making it look like an environment where the malware is being deliberately executed in order to study its behaviour.