←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 3 comments | 18 Jun 24 08:08 UTC | HN request time: 0.497s | source
Show context
iforgotpassword ◴[18 Jun 24 08:27 UTC] No.40715345[source]
Narrator: and so the arms race continues.

I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.

replies(2): >>40715417 #>>40715526 #
fancythat ◴[18 Jun 24 09:06 UTC] No.40715526[source]
This works, I can confirm. Majority of malware threat running in a VM as a sign of researcher doing the malware analysis.

I am recommending doing this for over 10 years now.

replies(1): >>40717225 #
1. mdip ◴[18 Jun 24 12:51 UTC] No.40717225[source]
That's where I wonder about a tool like this interfering with legitimate software.

For example, I believe the anti-cheat software used by games like Fortnite looks for similar things -- my understanding is that it, too, will refuse to start when it is executing in a VM[0]. As a teenager (90s), I remember several applications/games refusing to start when I'd attached a tracing process to them. They did this to stop exactly what I was doing: trying to figure out how to defeat the software licensing code. I haven't had a need to do that since the turn of the century but I'd put $10 on that still being a thing.

So you end up with a "false positive", and like anti-virus software, it results in "denial of service." But does anti-virus's solution of "white list it" apply here? At least with their specific implementation, it's "on or off", but I wonder if it's even possible to alter the application in a way that could "white list a process so it doesn't see the 'malware defeat tricks' this exposes." If not, you'd just have to "turn off protection" when you were using that program. That might not be practical depending on the program. It's also not likely the vendor of that program will care that "an application which pretends it's doing things we don't like" breaks their application unless it represents a lot of their install base.

[0] I looked into it a few years ago b/c I run Tumbleweed and it's a game the kids enjoy (I'm not a huge fan but my gaming days have been behind me for a while, now) ... I had hoped to be able to expose my GPU to the VM enough to be able to play it but didn't bother trying after reading others' experiences.

replies(2): >>40718142 #>>40721000 #
2. fancythat ◴[18 Jun 24 14:16 UTC] No.40718142[source]
You are right, some games, especially multiplayer ones will refuse to work in the VM to prevent cheating, but this is, of course, the business decision on their side. You can always construct the software in such a way that when it detects something suspicious on the system it ceases to function: some copy protections looked up for change in the network card hardware id as developers presumed it is highly unlikely someone will change network interface, but that stopped to be common, when people started using on-board interfaces that change with every motherboard change.

There is also a difference when using commercial stuff such as vmware instead of qemu or virtualbox as open source is more suitable to be tailored to the specific thing, in this case, cheating.

In the end, this approach works well for slowing done malware as there is less risk for normal software to allow working inside of vm in contrast to malware that should be coded to be extra paranoid in order to avoid as many tar pits as possible.

3. hurutparittya ◴[18 Jun 24 19:03 UTC] No.40721000[source]
What do you mean by 'legitimate software' exactly? If you described what a modern anti-cheat solution does to someone without telling them what it is, they'd automatically call it malware. The similarity really is uncanny. It almost feels like the difference between them is more of a technicality.