Pretending to be a VM to STOP Malware
HTML-код
- Опубликовано: 20 июн 2024
- Pretending to be a VM to STOP Malware
Official Discord Server - / discord
Follow me on X - / atericparker
Cyber Scarecrow: www.cyberscarecrow.com/
Disclaimer: The content in this video is for education and entertainment purposes to showcase the dangers of malware & malicious software. I do not encourage any form of illegal hacking, nor do I encourage the usage of game cheats, cracks or hacks.
Cracks are sometimes shown to highlight the dangers of software piracy, my content is not intended to teach anybody how to pirate, or maliciously hack.
More Malware Investigation Videos:
→ The latest "NORD" Malware - Nordsecured: • The latest 'NORD' Malw...
→🧧VIRUS WARNING🧧 NEW Optifine for Minecraft 1.16 SCAM: • 🧧VIRUS WARNING🧧 NEW Op...
→ The wilkreate RUclips stealer virus that started this whole trend: • Fake sponsor DESTROYS ...
(C) Eric Parker 2024 
Наука
it also scares off valorant
Ergo it's doing its job.
anything scares that spyware piece of sh!t
It's for our own good. 😢
@@ottergauzeYep, scaring off malware.
"Win Win"
i love the idea of an anti-malware "spooking" malware away, just like
"boo, i'm running vbox tools"
"aaah, goodbye"
aaaaaaaaaaaaaaaaaaaah. scary :(
😂😂
I love its just crossing its fingers and praying that running stupid processes will stop it from doing anything
"we will not share it, or send you spam" tf you want my email and name for then?
From their FAQ: we ask you to share your email address with us so that we can contact you in the future about scarecrow.
@@kujjiiso send spam :/
@@kujjii So, spam
they don't want to send you spam they just want to send you spam
@@TheBoostedDoge I am not defending them, just trying to give my opinion. They say that they wont send any spam, but you are still giving out your email address so its up to you to decide if you want to give it to them. I personally would not give them my information but you have to keep in mind, getting an email every few months about updates is not necessarily considered 'spam'. Its still weird and i wouldnt trust them.
cyber scarecrow is so scary that Eric put it in a real VM just in case.
Yes. Wasn't because he was actively trying to run other malware with it or anything...
@@KamiFrost99 he could easily format the system after testing
But he cant Test this inside a VM @@KamiFrost99
@@KamiFrost99 See, when you're trying to test if a tool successfully masks some presence as another, it helps when you're not already running the other thing in the first place.
@OzixiThrill Yeah, good point. When you think about it, he kinda executed the whole thing wrong.
He was testing Scarecrow in a VM (1) and ran malware that also wouldn't care to detect for such things (2).
>PC name is lain
Oh this guy a serious programmer
real
I call my thinkpads "mainframe" 🥴
I wish a coplandOS distro or desktop environment existed lmao
Honestly this is an absolutely brilliantly hilarious idea, I love it! It's almost like dressing up as a robber and grabbing your TV once you hear someone trying to break into your house and being like "Ooops looks like there's two of us here, while I was here first so yeah" lol 😂
Hmm , it's more like making the house look like a set-up.
@@intron9 Like parking an unmarked van with obvious looking set of antennas and dishes in the roof. While also paying someone to circle the block with an icecream truck every 30 minutes.
this is going to be REALLY fun to get installed on school computers and then people can't take tests on the computers and the techs can't figure out why safe browser won't install
summary: prevents you from loading legitimate applications that don't like VMs; does nothing against most malware that don't like VMs. literally the worst of both worlds lol
If your software doesn't like VMs maybe it wasn't worth having it in the first place
this is partially false because some malware don’t run on virtual machines to prevent them from being a analyzed
Wrong. It does something against malware that doesn't like VMs. Those malware just weren't built sophisticatedly enough to care about VMs or AVs.
Which is why most of them fail just against Windows Defender.
Scarecrow really seems like a great idea, just not for anyone who isn't targeted by really clever people.
@@KamiFrost99 just a touch of wisdom: most modern malware will use hard flags that this program cannot replicate, like checking cpuid leaf for common hypervisors. if a person who made a malware actually cared about being detected on vms, they wouldn't implement techniques that aren't as blind as looking for random processes. a good example of what malwares do (although it's very outdated) is a project called pafish, these cannot be replicated by a simple user-mode application and would require a kernel driver that hooks into core parts of the windows kernel to fake these values.
wrong. if programs that don't like vms won't start, malware that doesn't like vms wouldn't run either.
That "Safe Exam Browser" thing is a joke anyway. Defeating it is as easy as using a second device.
It is intended for kiosks and computer labs. It obviously provides laughable security in the home environment.
i dont think a single person has ever actually cheated by tricking safe browser, real cheaters likely use a phone thats 10 times easier to hide, more plausible deniability if caught like trying "my dying aunt is calling me" and a whole list of usual social engineering things real cheaters do that are way harder to get away with if you open up stuff on the monitored computer
@@jankus5133It's advertised for home use too... Which is funny
@@jankus5133 This.
@@jankus5133schools (and even my college professors) are using stuff like that for at-home exams anyway. It gives a false sense of security, but maybe it at least scares some students into not cheating
It would actually be cool if everyone would install it. Then software devs would abandon VM checks if everyone use it for extra security.
they'd just implement better checks, as another commenter said, you can detect the synchronization of the host cursor to the guest cursor
@@tedbasher3000 Make this scarecrow emulate random host to guest cursor syncs when it detects computer idle. Then they can't rely on that anymore.
I doubt this increases rdtsc timings to spoof vmexit
@@bait6571 so what? This is hypothetical
@@nothappyz and following that hypothetical, they'd move onto better detection methods.
Conversely, when malware observes dumb video games, edu proctor software, hypervisors, etc., then it can reasonably assume it is running directly on a host environment.
it also scares off games
It is so dumb that anti-cheats think blocking obvious virtual machines does anything to stop cheaters
honestly i think client security on games heavily hurts server security which actually matters because you can bypass server security but you can never really break it like you can with client
in my time reverse engineering, i've found that software cares more about stopping incompetent attackers by making things annoying to do, rather than actually making something difficult.
It's just malware disguised as a game
Games with these types of "anti cheats" will never see a dime from my wallet.
@@kran27_ Adding to this: according to Steamworks documentation, Valve's own DRM is easy to defeat for a dedicated attacker!
they took your advice and actually made a direct download
You know what I like about your videos? You just post desktop and get straight to the point. You also pump out content frequently. Subbing to you today and should have done it sooner - thanks for the fun videos!
don't say pump out content, those are disparaging words
* scares them in linux *
1:30 what if securety people just installed scarecrow in a VM to trick malware into disabling checks lol?
Scarecrow only spoofs non-VMs into appearing to be VMs. It cannot disable the VM checks as it's only designed to enable them.
@@raymondable he says "I hope malware people add a check for scarecrow that disables the vm checks"
I changed timestamp
@@raymondableIf malware can distinguish between “normal VM” and “normal”, and between “VM” and “non-VM scarecrow”, but can’t distinguish between “VM scarecrow” and “non-VM scarecrow”, then if they suspect that “scarecrow” indicates “non-VM scarecrow”, they might continue running if “VM with scarecrow” ?
that's actually pretty cool, the issues you talked about in the start are pretty big tho.
Yeah something like that not being open source is a big red flag I'd say.
@@xinaesthetic i'd say its a yellow flag, its very easy to make backdoors and bypasses if evil people can just read the entire source code, while at the same time we dont know what the actual intentions are of the program
windows username lain.
well. can't say I'm too surprised. nice detail.
what it means?
@@furkanyldz8460 It's a reference to the very avant-garde anime Serial Experiments Lain.
Ohhh, nice catch
@@downloadableram2666 thanks for info - i'm going to check anime , its seems very interesting
youtube veteran detected 😯
If this also were to become prevelant, what would stop amy halfway sophisticated malware developer for just checking if Scare Crow was installed.
He's a genius. Instant promotion to head of NSA. Congrats
Could you make a video about malware escaping VMs? I heard it was possible but quite extremely rare.
It's only possible if there is a vulnerability in the hypervisor
I thought it would more often escape using the network
@@awesomekalin55 never thought of that for some reason
Unless you have a billion in bitcoin, are wanted by nsa or are using a 15 year old unpatched cracked license hyper visor, the odds someone would risk an exploit like that (worth hundreds of thousands if not millions ) on you is astronomical
Yes, I would also like seeing that kind of video
Could it also not be Open source because they do not want Malware devs to look at the code and Notice it?
The binaries are more useful than the source for that. Assuming I wanted to check whether the fake vmware process matched what scarecrow shipped.
they're using a language that can be reversed easily, no obfuscation
Harmful thinking. That's why open source antiviruses not supported generally. Malware devs okay can see the code but open source community can fix this in short time.
@@hydradragonantivirus agree, if I have a lock on my door I rather have every smart guy out there with a copy of it so that they can improve upon it and ship updates instead of buying a master lock and having the company said it's super strong and unbreakable when in reality it's just trash.
i couldn't believe that he used personal email instead of a temp mail xD
I do it too
@@heeheheehh Sorry but I can't help you with that. Your profile picture may be inappropiate.
He said his info was already publicly online, so it doesn’t matter
"it's not open source", uses windows
sorry but this comment is extremely dumb, do you expect a security researcher to NOT use windows for their research on consumer computer malware
there's like a 95% adoption rate, of course that's going to be the platform to use when you're doing security research, because that's where the malware is, because that's where everyone is. there's no hypocrisy in using windows, you need to use windows, everyone is using windows, and it's still 100% reasonable to want a security product to be open source so that people know what they're installing on their computer.
you as a researcher can't change the fact that microsoft is a billion dollar company with total market dominance, your job is to study the landscape, that requires using a computer that is capable of running the programs natively.
i say this as someone whose primary machine has been using exclusively linux for the better part of a decade, stop it with the "team politics" thing, it is absolutely insufferable, and it makes linux users seem like insufferable dickheads.
he's not a hypocrite for using windows, this is a video about a windows product, for windows users to improve their windows experience, and stop windows malware from infecting their windows computers, it wouldn't be effective research if he ran it in a VM because the whole point of the software is that it runs on the native hardware environment, not a VM, not through a wine compatibility layer, it runs on windows.
don't be a dickhead, the video makes a lot more sense when you watch the whole thing and listen to the words he's saying
The email adress stuff is now optional, there's a "Or skip to direct download here" button.
I agree, it is a REALLY cool idea to pose as malware researcher to prevent malware from running on your computer
A simple VM check is to see if SMART attributes can be read... But for userland software, a file recency check to ensure that there are both new and old files on the system
I WAS THINKING OF THIS EXACT SAME THING JUST A WEEK AGO.
I GOT RECOMMENDED THIS VIDEO TODAY.
I AM ABSOLUTELY TERRIFIED OF THE UNKNOWN MEANING OF THIS.
if this becomes popular then it will be straightforward to counter, Simply check for scarecrow, look at the processes directory, analyze the process, etc
man i feel like your content is increasing in quality, keep it up!
also i really love the 30 minutes malware videos, they always cheer me up.
I do have a question. Why does the checks for the PySilon not include checks for drivers like the VFIO drivers? They are the ones commonly used in QEMU/KVM. My gaming VM has none of the blacklisted processes or files and I am not even hiding the fact that it is a VM.
Startups like to do this thing where they collect user data to show Venture Capitalist firms/individuals that their service has "X amount of users" or some bs. It does actually translate into higher valuations for startups, so that is why they do it. I recommend using fake info for this type of data phishing.
1:30 are you running software that pretenda that your pc is vm inside actual vm? Wouldn't then all thw software you tested detect the actual vm?
Oh wow! I was thinking of this some moments ago and then I see you posted a video about it. GG 😊
Great video, throughly enjoyed this one
dudes accent visited every former british colony
I recently discovered you channel and I love it. Any video on VM escaping worms anytime soon?
Hiya. Whats the software that you are using there to track network requests? Is that a system that is using the wireguard key to tunnel all traffic through that application? If so its pretty cool!
Okay but the idea of malware developers changing up their malware to check for scarecrow is kinda funny.
Because if you then run scarecrow in a virtual machine it would trick the malware into running...
Which is kind of the literal opposite of what it was intended to do
Woo! Thanks for making this video
This reminds me of some Worm virus on XP that if it detected that you have the .EXE file, it won't infest you, so you could just put a fake .txt file and mask it to pretend it to be the worm virus, and it won't do anything to you lol
Dunno if it's new or something, but you can skip the email thing now.
It's also possible to temporarily stop it in the scarecrow settings if you have a game like valorant.
The idea is really cool, I would like to someday see an open source version and one I could use on Linux.
Regarding your comment of detecting fake vms by checking if multiple tools (ex. vbox guest additions and vmware user) are running, a real vm could also use multiple fake tools to trick the malware into thinking its an fake vm, or is my logic flawed?
That's exactly what I was thinking. If you want to analyze malware that you know checks for scarecrow, you can install scarecrow on the VM
I'm curious, do you have any good ways to monitor USB traffic for malicious activity? I have to regularly bring in new hardware like keyboards or mice into the enterprise and test and validate them, but I'm struggling to find some straight forward techniques apart from ripping these devices apart to look for unusual usb controllers or hoping if there is anything that the AV picks it up within our dev environments when I'm testing lol - - I do a basic review with process Explorer, and also start a ProcMon trace just to see if anything stands out but I think my trace might be too broad for it. Any advice?
Never thought of it, might be possible (with some sort of specialized software setup) to debug a usb controller. What kind of attacks are you dealing with (hidden keylogger, slipping malware into files?)
If you regularly get the same models of keyboard or mice you could use a USB power meter along with accuate scales. A modified device would draw more power and weigh more than the unmodified version
given just about anything has a microcontroller in it, and they can say anything, I feel like the only secure peripherals would be ones you loaded trusted firmware on yourself (as an organization).
Good reason to get your company to approve custom mech keyboards.
It is definitely a good idea, but not every malware needs to be vm protected, since it usually is the same thing with some extra junk code and a different name
does the undetectable VM allow running programs and resources that would run in a native environment, or are there still limitations?
I'm already scared by that thing asking for your email address
I’ve really discovered that windows defender is the only thing you really need. If it’s getting around windows defender, it’s getting around basically whatever you’ve got
Why the heck is this RUclips channel so good
This video is so scary is scared away all youtube ads in my language
I like the idea - maybe if they had some kind of way of having this built into windows for unknown apps...
me when viruses give u a bsod when you're running it on a vm:
Not super familiar with anti-VM actions by software, but there are a ton of ways to detect whether you're in a VM. My guess is that most software just uses #1 and #4 below because they can be easily implemented.
1. Check the CPU, CPU flags, and core configuration -- the CPU model string and CPU flags, such as the 'hypervisor' flag; as well as the processor core configuration
2. Check the DMI, SMBIOS, and ACPI information -- BIOS vendor: SeaBIOS, VMware, OVMF; mainboard vendor, memory vendor and model, etc.
3. Check the PCI and USB devices -- this is probably the most difficult part to spoof when attempting to masquerade a VM as a real machine-- even if you use full host passthrough mode and use fully emulated devices for ethernet, disk, and sound, there will likely be an emulated VGA device and emulated keyboard/pointer devices, which would be easy to check for
4. Checking for guest agents (vbox tools, vmware tools, QEMU guest agent, etc.) -- which to me is probably the laziest way and the easiest to defeat. If that is the only thing that Cyber Scarecrow is doing, it's basically useless as mentioned.
The best cyber scarecrow is just Windbg. Every malware fears a debugger
Malware (Waluigi voice): Wahh! I will steal all your info
**Thinks is in a vm**
Malware: Bye have a great time...
**PS2 Boot up sound**
They seem to have removed the email requirement, there is a "Or skip to direct download here" link now
Eric is blowing up on youtube lately :)
if the source code isnt available, for the malware its harder to find out the cues for vm are just flukes
Great vid, let’s all love Lain
Thanks - HitmanPro Alert does something similar to this as well (not sure what method it uses)
Copy your user folder on a fileshare and set a GPO that programs executed on a file share can't access the internet.
The fact that it's not open source sets off some red flags for me. Absolutely nope-ing out right here.
there is a patch for safe exam browser to make it work with vm ware. using linux or mac os you need VMs for a lot of software in school
"I couldn't run Valorant"
Well that suggests that Scarecrow does prevent malware from running?
This is so stupid but actually so smart at the same time
What are you using for capturing network requests?
This thing might be perfect when we modified the core count, disk name, gpu driver name, motherboard name and other hardware replaced into vmware or vbox stuff
How hard would it be to recreate something similar but open source?
you need to update the videos in the "More Malware Investigation Videos" section to be more recent malware themed ones
You can run the games in a VM tweaked to look like it is not a VM.
1:50 I'm hearing duvet in my head
I've had this same idea for ages!
0:33 well well well, that's a very deep well
Do you know if it's fine to make a Windows VM for malware testing on Windows? Or is there a possibility it could make it's way out of the VM onto my main system and would be better to use Linux?
It's hard to get decent vm performance on windows these days + it's annoying to manage samples on a windows system (because of AV). Escape is incredibly unlikely unless something goes very wrong either with the hypervisor or configuration.
One way out could be exposed SMB
@@EricParker Ah OK, yeah I do have a folder that I share to my Mac through SMB, I think I'll just dualboot Linux and do it there, thanks!
this is such an incredible niche edge case way of dealing with malicious software lmao why
Cool in concept but I have my doubts that it'll ever be useful.
As you said it will most likely stop you from using something you want to.
And they are banking on malware to please only do VM detection and not start detecting Scarecrow.
Hi. What are you using as the wg traffic logger?
The user is Lain? Seems fitting.
what is the best way hide debugger check for latest vmprotect (3.8.8) or themida , not sycllahide or titanhide or kernel mode. only for usermode
Depends hugely on how you want to debug it. It is possible to do DMA through QEMU / KVM if you are able to get it to run in a VM.
usually i use minhook to hook function & patch memory but the problem is sycllahide doesnt hide for latest version of vmprotect
ps: i use x64dbg
theres more to virtualization detection that registry keys and processes from vm vendors...
Software is in alpha bro
If "legitimate" software doesn't like being tracked what it's doing, likely it's doing something you don't want to see.
Would it be all that hard to make this yourself? The dummy processes would be simple to make and add, plus the registry keys aren't exactly rocket surgery either.
Ultimately, having an "install these things and not be resident" method would be best.
the first thing u said is literally what i was thinking
Good video!
Pro: It stops anti-cheat from running.
i should have thought about this sooner
Wouldn't you want to verify the malware you're using to check if scarecrow works actually checks for it being in a vm?
I CAN'T GET OVER THIS. IT'S LIKE A DIGITAL SCARECROW. AND IT WORKS.
whats the software youre using for intercepting traffic
Hi Eric, I have couiple of questions for you;
Is Genp safe?
Is the 2023 version of lightroom by thumper TM on tpb safe?
I need lighroom and I trust your opinion.
lmfao
This seems quite easy to make yourself? If it just spawns some processes called something that does nothing and then creates a few reg keys.
Im gonna make one that completely stops pysilon because its opensource
i would think something like this would be a "run once and delete after" type thing so any future malware cant detect it was used
But then it couldn't spin up processes
right... oof
8:48 sea of thieves, we're sailing with the team. we're headed up north as far as the eye can see. we're care-free, we have no need to flee. i hit a skeleton with my (slice) banshee!
what tool tou use to see the traffic?
mitmproxy
"Scary processes"
[Discord pops up]
😆
Plot twist: The malware tricked you after opening it.
what is that port viwer thing?
some sites dont even care for your email address so you can put in something like 1@3.4
if that does not work as the site sends a link to email then try getting a throw away email like 10 minute email.
I was just thinking of this after your last one
Such things existed years ago when I just stepped into this field. The reason why they didn't become popular is that they don't work. VMs are so common nowadays that I rarely run into samples allergic to VMs anymore.
In simple words, do not use this. Even worse, it's closed source. It's not trustworthy AND not useful.