←back to thread

Cyber Scarecrow

(www.cyberscarecrow.com)
606 points toby_tw | 1 comments | 18 Jun 24 08:08 UTC | HN request time: 0.204s | source
Show context
wruza ◴[18 Jun 24 10:24 UTC] No.40716002[source]
Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd. A shady concept overall, cause if you occasionally run malware on your pc, it’s already over.

Downloading a random exe from a noname site/author to scare malware sounds like another crazy security recipe from your layman tech friend who installs registry cleaners and toggles random settings for “speed up”.

replies(5): >>40716202 #>>40716228 #>>40716249 #>>40716286 #>>40721679 #
bux93 ◴[18 Jun 24 10:53 UTC] No.40716202[source]
Take malware that is part of a botnet. Its initial payload is not necessarily damaging to the host, but is awaiting instructions to e.g. DDOS some future victim.

The authors will want the malware to spread as far and wide as it can on e.g. a corporate network. So they need to make a risk assessment; if the malware stays on the current computer, is the risk of detection (over time, as the AV software gets updates) higher than the opportunity to use this host for nefarious purposes later?

The list[1] of processes simulated by cyber scarecrow are mostly related to being in a virtual machine though. Utilities like procmon/regmon might indicate the system is being used by a techie. I guess the malware author's assumption is that these machines will be better managed and monitored than the desktop/laptop systems used by office workers.

[1] https://pastebin.com/JVZy4U5i

replies(1): >>40722190 #
1. jeroenhd ◴[18 Jun 24 21:06 UTC] No.40722190[source]
Many pieces of malware are encrypted and obfuscated to prevent analysis. Often, they'll detect virtual machines to make it harder for people to analyse the malware. Plenty of malware hides the juicy bits in a second or third stage download that won't trigger if the dropper is loaded inside of a VM (or with a debugger attached, etc.).

Similarly, there have also been malware that will deactivate itself when it detects signs of the computer being Russian; Russia doesn't really care about Russian hackers attacking foreign countries (but they'll crack down on malware spreading within Russia, when detected) so for Russian malware authors (and malware authors pretending to be Russian) it's a good idea not to spread to Russian computers. This has the funny side effect of simply adding a Russian keyboard layout being enough to prevent infection from some specific strains of malware.

This is less common among the "download trustedsteam.exe to update your whatsapp today" malware and random attack scripts and more likely to happen in targeted attacks at specific targets.

This tactic probably won't do anything against the kind of malware that's in pirated games and drive-by downloads (which is probably what most infections are) as I don't think the VM evasion tactics are necessary for those. It may help protect against the kind of malware human rights activists and journalists can face, though. I don't know if I'd trust this particular piece of software to do it, but it'll work in theory. I'm sure malware authors will update their code to detect this software if this approach ever takes off.