Costs a lot of cycles to run those for real, and it’s not super common to get infected with anything, so you’re wasting cycles for a small chance at avoiding it. This could be better since, I assume, it doesn’t do a lot of stuff.
Author of scarecrow here. The idea is cyber scarecrow is just super easy and light weight for anyone to use. Honeypot tech tends to need some good tech understanding to use (eg the cli), and can be a bit heavyweight for always running in the background of your computer.
If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.
It is a cat and mouse game. And security by obscurity practice. Not saying it won't work, but if it is open sourced, how long before the malware will catch on?
Look into Windows NT source code that was leaked. The if-else/switch statements in there is just another level of string matching hell. Seems like software development just become "let's jerry rig it to just make it work and forget about it." Pretty sure management (without tech clue) have something to do behaviours like this.
> Pretty sure management (without tech clue) have something to do behaviours like this.
Always the same bullshit with you people here. Could never possibly someone built a sub-optimal system -- it HAD to be management fucking with our good intentions!
Well yeah. Left to their own devices, people want to build good stuff. It's when some dumb turd with his metrics and clueless plan shows up that things get screwy.
Author of scarecrow here. Our thinking is that if malware starts to adapt and check if scarecrow is installed, we are doing something right. We can then look to update the app to make it more difficult to spot - but its then a cat and mouse game.
You had an answer canned for one part of the query. Why are you trying to release security software completely anonymously? This is insane - you want an incredible amount of trust from users but can’t even identify a company.
Simply, if users are as intelligent as you think, they’re too intelligent to use your product.
If you think that is what will make it a cat and mouse game instead of understanding it has been a cat and mouse game since the beginning of time, then you're not compelling me into thinking you're very experienced in this space.
Some malware will catch on, some will not. It's a cost vs profit problem. Statistically, this will always decrease the number of possible malware samples that can be installed on the machine, but by what margin? Impossible to say.
I'd be willing to bet good money that 99% of malware authors won't adapt, since 99% (more like 99.999%) of the billions of worldwide windows users will not have this installed.
For the cat to care about the mouse it needs to at least be a good appetizer.
I've worked in companies with horrendous security, where someone with just a bit of SQL injection experience could have easily carried out the data. Yet, since this was a custom in-house application and your off-the-shelve-scanners did not work, this never happened; the only times the servers were hacked was when the company decided to host an (obviously never updated) grandfathered Joomla instance for a customer.
But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)
> But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password.
Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.
I mostly agree, but even this leaves you exposed to new bugs found in SSH in the future etc if on an unpatched/forgotten server. I still think its best (and really, really easy now with tools like tailscale) to simply never expose the software to the wide world in the first place and only access over Wireguard.
Fundamentally, it makes no sense to expose low level server access mechanisms to anyone other than yourself/team - there is no need for this to sit listening on a public port, almost ever.
If I were to run a Windows computer, I wouldn't care what 99.999% of other people didn't do to make their computer safe. If it were something that I could do, then that's good enough for me. However, the best thing one can do to protect themselves from Windows malware is to not use Windows. This is the path I've chosen for myself
It's not a cat an mouse game; it's a diver and shark game. In SCUBA training we joked that you had the "buddy system" where you always dive in pairs, because that way if you encounter a shark you don't have to outswim the shark, you only have to outswim your buddy.
A low-effort activity that makes you not be the low-hanging fruit can often be worth it. For example, back in the '90s I moved my SSH port from 22 to ... not telling you! It's pretty easy to scan for SSH servers on alternate ports, but basically none of the worms do that.
A lot of security stuff is a bit ironic like that. "Give this antivirus software super-root access to your machine".. it depends on that software being trustworthy.
Author of cyber scarecrow here. Thank you for your feedback, and you are 100% right. We also dont have a code signing certificate yet either, they are expensive for windows. Smartscreen also triggers when you install it. Id be weary of installing it myself as well, especially considering it runs as admin, to be able to create the fake indicators.
I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.
> We also dont have a code signing certificate yet either, they are expensive for windows.
When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.
Besides paying money you also go through a (pretty simplistic) audit. It’s about the only way we have to know who published some code, which is important. If you can come up with a better way you should implement it and we’ll all follow.
As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.
If said Craigslist rando likes getting police visits and potentially being criminally liable for helping you commit a felony ...
All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.
In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo
The threat is that if you sign malware with your name you will be quickly connected with said malware. If you don't live in a country that turns a blind eye to cyber crime that is a quick ticket to jail.
Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.
There’s an audit to go through where you (sort of) prove who you are. The system isn’t great, but if you can come up with something better there’s a lot of space to make software more secure for people.
Not many software promises to fend off attackers, asks for an email address before download, and creates a bunch of processes using a closed source dll the existence of which can easily be checked.
Then again, not many malware targeting consumers at random check for security software. You are more likely to see a malware stop working if you fake the amount of ram and cpu and your network driver vendor than if you have CrowdStrike, etc. running.
Something that would have built trust with me that I didn't find on the site was any mention of success rate. Surely CyberScarecrow has been tested against known malware to see if the process successfully thwarts an attack.
Obviously this should be an open source tool that people can build for themselves. If you want to sell premium services or upgrades for it later, you need to have an open/free tier as well.
Also are you aware of the (very awesome) EDR evasion toolkit called scarecrow? Naming stuff is hard, I get that, but this collision is a bit much IMO.
It's a neat concept, although I imagine this'll be a cat and mouse endeavor that escalates very quickly. So, a suggestion - apply to the Open Technology Fund's Rapid Response Fund. I'd probably request the following in your position:
* code signing certificate funding
* consulting/assessment to harden the application or concept itself as well as to make it more robust (they'll probably route through Cure53)
* consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.
If you wanted to fund this in some way without necessarily doing the typical founder slog, might make sense to 501c3 in the US and then get funded by or license this to security tooling manufacturers so that it can be embedded into security tools, or to research the model with funding from across the security industry so that the allergic reaction by malware groups to security tooling can be exploited more systemically.
I imagine the final state of this effort might be that security companies could be willing to license decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key.
> consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.
This would be a boon for security folk who analyze/reverse malware: they can add/simulate this tool in their VMs to ensure the malware being analyzed doesn't deactivate itself!
> decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key
I kinda think this functionality could be subverted into a kill switch for legit-licensed installs simply by altering the key.
Concerning code signing: Azure has a somewhat new offering that allows you to sign code for Windows (SmartScreen compatible) without having an EV cert. It is called "Trusted Signing" [1], non-marketing docs [2]. The major gotcha is that currently you need to have a company or similar entity 3 years or older to get public trust. I tried it with a company younger than 3 years and was denied. You might have a company that fits that criteria or you might get lucky.
The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.
[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.
$70 isn't correct though. The cost was originally described upthread as ($10 per month) + ($5 per month), not ($10 per year) + ($5 per month).
That said, EV certs jumped in price over the past couple years. The total cost ends up being higher than the list price -- vendors tack on a non-trivial extra fee for the USB hardware token and shipping. All-inclusive I paid like $450 a year ago, and that was after getting a small repeat-customer discount.
So yes, Azure's service is substantially cheaper than an EV cert. And it also has the flexibility of being a monthly plan, rather than an annual commitment.
Don't you know.. microsoft doesn't believe in discounts. The evil-empire runs a taxing system envied by the IRS itself. Entire industries have gone up in arms complaining that M$ cloud price structure doesn't allow for third party margins and still they hold strong to their price structure.
Where is that additional info? It just says you're a group of security researchers, but there are no names, no verifiable credentials, nothing. You haven't really added any info that would contribute to any real trust.
Exactly. This continues to tell us absolutely nothing.
"Who are you?
We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
You're collecting personal info and claiming to be in the UK: identifying the data controller would be a start, both for building trust and complying with GDPR.
One more thing you could do is put the real name of any human being with any track record of professionalism, anywhere on the website. Currently you're:
- commenting under a pseudonymous profile
- asking for emails by saying "please email me. contact at cyberscarecrow.com"
- describing yourself in your FAQ entry for "Who are you?" by writing "We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
I frequently use pseudonymous profiles for various things but they are NOT a good way to establish trust.
How are you planning on preventing bad actors to identify scarecrow itself? You gonna randomize the name/processes etc?? Like anti-malware software do to install in stealth-mode??
I'd suggest putting down the actual authors. If you're UK based there should really be no issue in putting down each of the people involved and what their background in the industry is. Otherwise this just looks like a v1 to get people interested and v2 could include malware. Tbh it'd be quite a clever ploy if it is malware. Trust isn't built blindly, most smaller software creators always have their details known. I'd suggest if you want it to pick up traction, you have a full "about us" page.
That's a problem with a lot of software and developers these days. An "About Me" section with a real face and presence is important and I don't mean anime characters and aliases either. Tell me who you are, put yourself out there.
I would assume there would be a small intersection of people that would download and install a windows program from an unknown web page and those that are worried about malware.
Author of cyber scarecrow here. You are right, its a trust thing. Completly understand if people wouldnt want to install it and thats fine. It's the same for any software really. We just havent built up any confidence or trust like a big established company will have.
At this point, the simplest explanation is that it actually is malware. A more credible explanation than security researchers making something that looks this much like malware, but actually isn't.
Even the WHOIS response gives "Privacy service provided by Withheld for Privacy ehf" under the contact field. The developers claim to be living in the UK, but don't provide any legal identity - and it's not hard; you don't even need to be a British resident to start a shell company in Britain.
I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.
But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.
> I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.
But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.
The more scarecrow is installed, the easier it gets for real security researchers to hide from these checks and detect viruses. So actually the dynamic helps security research.
“Sophisticated” detection can be as simple as checking rss and pcpu, the bullshit decoy processes probably aren’t wasting a lot of CPU and RAM, otherwise might as well run the real things; if they are, well, just avoid, who cares. So no, it’s not going to meaningfully complicate anything.
Wouldn't that be more fragile though? CPU usage is not constant in time, so if - again - you're not sophisticated enough, you get more false negatives / positives, depending on which side of the heuristic you err.
This is only useful for dragnet malware targeting the masses, where false positives/negatives have low impact to begin with. High value targets can run the real programs if this is proven to have any effect — the average corporate IT can approve some more bloat for security, no problem. Also, you take a sample.
That's where I wonder about a tool like this interfering with legitimate software.
For example, I believe the anti-cheat software used by games like Fortnite looks for similar things -- my understanding is that it, too, will refuse to start when it is executing in a VM[0]. As a teenager (90s), I remember several applications/games refusing to start when I'd attached a tracing process to them. They did this to stop exactly what I was doing: trying to figure out how to defeat the software licensing code. I haven't had a need to do that since the turn of the century but I'd put $10 on that still being a thing.
So you end up with a "false positive", and like anti-virus software, it results in "denial of service." But does anti-virus's solution of "white list it" apply here? At least with their specific implementation, it's "on or off", but I wonder if it's even possible to alter the application in a way that could "white list a process so it doesn't see the 'malware defeat tricks' this exposes." If not, you'd just have to "turn off protection" when you were using that program. That might not be practical depending on the program. It's also not likely the vendor of that program will care that "an application which pretends it's doing things we don't like" breaks their application unless it represents a lot of their install base.
[0] I looked into it a few years ago b/c I run Tumbleweed and it's a game the kids enjoy (I'm not a huge fan but my gaming days have been behind me for a while, now) ... I had hoped to be able to expose my GPU to the VM enough to be able to play it but didn't bother trying after reading others' experiences.
You are right, some games, especially multiplayer ones will refuse to work in the VM to prevent cheating, but this is, of course, the business decision on their side. You can always construct the software in such a way that when it detects something suspicious on the system it ceases to function: some copy protections looked up for change in the network card hardware id as developers presumed it is highly unlikely someone will change network interface, but that stopped to be common, when people started using on-board interfaces that change with every motherboard change.
There is also a difference when using commercial stuff such as vmware instead of qemu or virtualbox as open source is more suitable to be tailored to the specific thing, in this case, cheating.
In the end, this approach works well for slowing done malware as there is less risk for normal software to allow working inside of vm in contrast to malware that should be coded to be extra paranoid in order to avoid as many tar pits as possible.
What do you mean by 'legitimate software' exactly? If you described what a modern anti-cheat solution does to someone without telling them what it is, they'd automatically call it malware. The similarity really is uncanny. It almost feels like the difference between them is more of a technicality.
Sounds like a very interesting concept. I'd like to see someone actually test this though.
Try running this on a Windows PC with Windows Defender off & just Scarecrow running. You could use the MaleX test kit [1] or a set of malware such as the Zoo collection [2] or something more current. I'd be very interested to see how many malware executables stop half way through their installation after seeing a few bogus registry entries/background programs running. I'm not trying to imply it's worthless, but it needs some actual "real world" test results.
Author of scarecrow here. Sweet idea, thankyou for sharing. What i would really like to do, is have some sort of stats in the app, that shows if it has 'scared' away any malware. But im not sure how to do that, and work out what other processes on the machine have exited because it saw some cyber scarecrow indicators in the systems process listing.
I would assume with a minimalist program like yours, it wouldn't have the capability to detect whether anything malicious was running on the system. That kind of thing would require some more advanced trip wires that would notice when certain things were triggered when they shouldn't have been or a full blown AV detection engine.
I suppose it could work like Sysinternals Process Explorer/Autoruns/etc & submit running hashes to Virustotal.com or other databases, but there's always the likelihood of false positives with that.
If you search Github for "malware samples" There are loads of them. Vx Underground also has a large collection [1]. So, I would go through there & look for commonalities to try and find what malware often tries to trigger on startup.
I'll just end with this example of an interesting form of a trip wire I've seen in use on Windows PCs: ZoneAlarm makes an anti-ransomwear tool I can't think of the name of. It placed hidden files & folders in every directory on the hard drive. It would then monitor if anything tried to access it - as ransomwear would attempt to encrypt it - and force kill all running programs in an attempt to shut down the malware before it could encrypt the entire HDD.
Lol, this website is registered to someone in Iceland, despite the assurance that it is a "security researcher living in the UK". I'm sure the results from this experiment will make a cool blog post about pwning tech savvy folks.
Hmm my Namecheap domains keep the location details even with WHOIS privacy enabled. To be fair they are 7+ years old so maybe something has changed in that time?
i'm confused about the tradeoff of not running the software that your pretending to be running? Most AV definitly feels like malware itself so maybe thats your point? But it would probably be better to run good software than fake bad software?
But there is no good software for defense. They either introduce obstacles while being barely useful or are useful, introduce obstacles for you and are proprietary and thus are malicious by design.
As much as I'd love to see something like this everywhere, the problem is it's useless for everyone who loves to play online games or watch DRM-encumbered content, so the majority of the population... because DRM, anticheat and malware all fear the same set of tools/indicators.
Solution: temporary "game mode" that disables most protections that can impact DRM, or a custom rule engine that disables protections if some application is detected to be running (e.g. fortnite.exe or something), but this second method should be done manually by the user.
I wonder if you can make malware think your language and keyboard layout is Russian without having to endure the setup, that's been known to deter some nasty stuff.
> When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run. They don't want to get caught and avoid computers that have security analysis [...] tools on them.
Game anti-cheat code makes similar checks (arguably it is malware, but that's besides the point). So, running this might put you at risk of getting banned from your favourite game.
Get a PTR record for your IP, let it resolve to honeypot087.win.internal.security.example.com, that will make your IP less interesting... To some people
One of the reference in "How does it work" [1] mentioned that some hackers will not mess with computers with Russian keyboard, so you can add one to reduce your chance of getting hacked.
Hilarious aside, it would only work if you don't actually use multiple keyboard -- otherwise an additional one would make switching between multiple keyboards very annoying [*].
It also mentions some other changes like adding RU keywords to your registry. Again, these measures would have many side effects since lots of software actually use these registry entries for legit reasons. So I don't know if this Cyber Scarecrow product would have this problem, since it does modify registry, too.
*: A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.
> A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.
Actually, I much prefer this order. Depending on what keyboard I currently use, I know exactly how often to switch instead of having to remember what I used previously. In fact, I don't even like this order when Alt+Tab'ing, it makes switching between more than two windows pretty inconsistent (yes, I know Windows+Number works, too).
Having "last used" order makes quickly switch between two windows very easy, which is something I personally use more. It's easier than pressing alt+tab/shift+alt+tab alternately.
To switch to the third window, you can use alt+tab+tab.
1. The Shift+Alt chord is obnoxiously unreliable, sensitive to which key comes down first, or something.
2. Japanese is always comeing up in A mode even though you last had it in あ mode.
3. Bad performance: sllllow language switching at times: you hit some keyboard sequence for changing languages or modes within a language, and nothing happens. This interacts with (2): did we hit an unreliable chord? Or is it just slow to respond?
I have to use a 3rd party Japanese IME precisely because of 2. No idea why they haven't add an option for it to be default to あ mode.
Also, in ANY modern Chinese IME (Microsoft or 3rd party), switching between English/中文 mode is simply pressing shift once. You still have to use alt+` for that in JP IME, which I find unbearable.
Small correction: not "some hackers", but some malware families (the difference being that the check is automatic). And honestly, not "some" but "most of them" :).
Though I often see this implemented by calling GetKeyboardLayout, so this will only work if you actually use the Russian (or neighbourly) layout when malware detonation happens.
252 comments
[ 0.23 ms ] story [ 236 ms ] threadIf the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.
Here is one on github:
https://github.com/NavyTitanium/Fake-Sandbox-Artifacts
Always the same bullshit with you people here. Could never possibly someone built a sub-optimal system -- it HAD to be management fucking with our good intentions!
Simply, if users are as intelligent as you think, they’re too intelligent to use your product.
For the cat to care about the mouse it needs to at least be a good appetizer.
But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)
Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.
Fundamentally, it makes no sense to expose low level server access mechanisms to anyone other than yourself/team - there is no need for this to sit listening on a public port, almost ever.
There is plenty of dumb malware.
Security folks seem to get overly focused at times on the most sophisticated attackers and forget about the unwashed hordes.
A low-effort activity that makes you not be the low-hanging fruit can often be worth it. For example, back in the '90s I moved my SSH port from 22 to ... not telling you! It's pretty easy to scan for SSH servers on alternate ports, but basically none of the worms do that.
I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.
Not for hacking non citizens
When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.
As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.
All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.
In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo
What threats are those? Where are all the people going to jail for falsely signed software? The stuxnet authors seem to be in the wind.
Of course people stealing other people's signing keys is an issue. But EV code signing certificates are pretty well protected (requiring either a hardware dongle or 2FA). It's not impossible for a highly sophisticated attacker, but it's a pretty high bar.
https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACe...
I used Google to search for "list of microsoft trusted CA".
Not many software promises to fend off attackers, asks for an email address before download, and creates a bunch of processes using a closed source dll the existence of which can easily be checked.
Then again, not many malware targeting consumers at random check for security software. You are more likely to see a malware stop working if you fake the amount of ram and cpu and your network driver vendor than if you have CrowdStrike, etc. running.
Also are you aware of the (very awesome) EDR evasion toolkit called scarecrow? Naming stuff is hard, I get that, but this collision is a bit much IMO.
https://github.com/Tylous/ScareCrow
* code signing certificate funding
* consulting/assessment to harden the application or concept itself as well as to make it more robust (they'll probably route through Cure53)
* consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.
If you wanted to fund this in some way without necessarily doing the typical founder slog, might make sense to 501c3 in the US and then get funded by or license this to security tooling manufacturers so that it can be embedded into security tools, or to research the model with funding from across the security industry so that the allergic reaction by malware groups to security tooling can be exploited more systemically.
I imagine the final state of this effort might be that security companies could be willing to license decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key.
This would be a boon for security folk who analyze/reverse malware: they can add/simulate this tool in their VMs to ensure the malware being analyzed doesn't deactivate itself!
I kinda think this functionality could be subverted into a kill switch for legit-licensed installs simply by altering the key.
The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.
[1] https://azure.microsoft.com/en-us/products/trusted-signing
[2] https://learn.microsoft.com/en-us/azure/trusted-signing/quic...
[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.
That's not a big discount.
That said, EV certs jumped in price over the past couple years. The total cost ends up being higher than the list price -- vendors tack on a non-trivial extra fee for the USB hardware token and shipping. All-inclusive I paid like $450 a year ago, and that was after getting a small repeat-customer discount.
So yes, Azure's service is substantially cheaper than an EV cert. And it also has the flexibility of being a monthly plan, rather than an annual commitment.
"Who are you?
We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
- commenting under a pseudonymous profile
- asking for emails by saying "please email me. contact at cyberscarecrow.com"
- describing yourself in your FAQ entry for "Who are you?" by writing "We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."
I frequently use pseudonymous profiles for various things but they are NOT a good way to establish trust.
No different from MacAffee, Trend Micro, Symantec. Oh, but those are brand names you can trust, like Coca-Cola and Kellog's Corn Flakes.
Unfortunately (at least outside of HN) "people who understand what this tool does" probably isn't a subset of "people who would run that "exe"."
Also somewhat surprised the source isn't available. That makes trusting it harder, especially to the people it's aimed at.
If you start down this path you will end up in mindgame hell.
Jokes aside, this is a temporary fix at best, a waste of resources and impression of safety at worst.
(bingo?)
But perhaps I'm wrong
There are ways to establish trust, you aren’t doing any of them.
I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.
But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.
But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.
I am recommending doing this for over 10 years now.
For example, I believe the anti-cheat software used by games like Fortnite looks for similar things -- my understanding is that it, too, will refuse to start when it is executing in a VM[0]. As a teenager (90s), I remember several applications/games refusing to start when I'd attached a tracing process to them. They did this to stop exactly what I was doing: trying to figure out how to defeat the software licensing code. I haven't had a need to do that since the turn of the century but I'd put $10 on that still being a thing.
So you end up with a "false positive", and like anti-virus software, it results in "denial of service." But does anti-virus's solution of "white list it" apply here? At least with their specific implementation, it's "on or off", but I wonder if it's even possible to alter the application in a way that could "white list a process so it doesn't see the 'malware defeat tricks' this exposes." If not, you'd just have to "turn off protection" when you were using that program. That might not be practical depending on the program. It's also not likely the vendor of that program will care that "an application which pretends it's doing things we don't like" breaks their application unless it represents a lot of their install base.
[0] I looked into it a few years ago b/c I run Tumbleweed and it's a game the kids enjoy (I'm not a huge fan but my gaming days have been behind me for a while, now) ... I had hoped to be able to expose my GPU to the VM enough to be able to play it but didn't bother trying after reading others' experiences.
There is also a difference when using commercial stuff such as vmware instead of qemu or virtualbox as open source is more suitable to be tailored to the specific thing, in this case, cheating.
In the end, this approach works well for slowing done malware as there is less risk for normal software to allow working inside of vm in contrast to malware that should be coded to be extra paranoid in order to avoid as many tar pits as possible.
Try running this on a Windows PC with Windows Defender off & just Scarecrow running. You could use the MaleX test kit [1] or a set of malware such as the Zoo collection [2] or something more current. I'd be very interested to see how many malware executables stop half way through their installation after seeing a few bogus registry entries/background programs running. I'm not trying to imply it's worthless, but it needs some actual "real world" test results.
[1] https://github.com/Mayachitra-Inc/MaleX [2] https://github.com/ytisf/theZoo
I suppose it could work like Sysinternals Process Explorer/Autoruns/etc & submit running hashes to Virustotal.com or other databases, but there's always the likelihood of false positives with that.
If you search Github for "malware samples" There are loads of them. Vx Underground also has a large collection [1]. So, I would go through there & look for commonalities to try and find what malware often tries to trigger on startup.
I'll just end with this example of an interesting form of a trip wire I've seen in use on Windows PCs: ZoneAlarm makes an anti-ransomwear tool I can't think of the name of. It placed hidden files & folders in every directory on the hard drive. It would then monitor if anything tried to access it - as ransomwear would attempt to encrypt it - and force kill all running programs in an attempt to shut down the malware before it could encrypt the entire HDD.
[1] https://vx-underground.org/Archive/Collections
It is sad to hear that. In my view DRM = malware.
Game anti-cheat code makes similar checks (arguably it is malware, but that's besides the point). So, running this might put you at risk of getting banned from your favourite game.
Hilarious aside, it would only work if you don't actually use multiple keyboard -- otherwise an additional one would make switching between multiple keyboards very annoying [*].
It also mentions some other changes like adding RU keywords to your registry. Again, these measures would have many side effects since lots of software actually use these registry entries for legit reasons. So I don't know if this Cyber Scarecrow product would have this problem, since it does modify registry, too.
1: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...
*: A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.
Actually, I much prefer this order. Depending on what keyboard I currently use, I know exactly how often to switch instead of having to remember what I used previously. In fact, I don't even like this order when Alt+Tab'ing, it makes switching between more than two windows pretty inconsistent (yes, I know Windows+Number works, too).
Having "last used" order makes quickly switch between two windows very easy, which is something I personally use more. It's easier than pressing alt+tab/shift+alt+tab alternately.
To switch to the third window, you can use alt+tab+tab.
Furthermore:
1. The Shift+Alt chord is obnoxiously unreliable, sensitive to which key comes down first, or something.
2. Japanese is always comeing up in A mode even though you last had it in あ mode.
3. Bad performance: sllllow language switching at times: you hit some keyboard sequence for changing languages or modes within a language, and nothing happens. This interacts with (2): did we hit an unreliable chord? Or is it just slow to respond?
Also, in ANY modern Chinese IME (Microsoft or 3rd party), switching between English/中文 mode is simply pressing shift once. You still have to use alt+` for that in JP IME, which I find unbearable.
I have no idea whether it is any better for you, but another way is Ctrl+CapsLock.
Though I often see this implemented by calling GetKeyboardLayout, so this will only work if you actually use the Russian (or neighbourly) layout when malware detonation happens.