Turns out this is why certain religious symbols used to work on demons, they were just the physical spoofs of vbox tools in reality, convincing them that the developers were online and checking for bugs...
@@TheBoostedDoge I am not defending them, just trying to give my opinion. They say that they wont send any spam, but you are still giving out your email address so its up to you to decide if you want to give it to them. I personally would not give them my information but you have to keep in mind, getting an email every few months about updates is not necessarily considered 'spam'. Its still weird and i wouldnt trust them.
@@KamiFrost99 See, when you're trying to test if a tool successfully masks some presence as another, it helps when you're not already running the other thing in the first place.
@OzixiThrill Yeah, good point. When you think about it, he kinda executed the whole thing wrong. He was testing Scarecrow in a VM (1) and ran malware that also wouldn't care to detect for such things (2).
summary: prevents you from loading legitimate applications that don't like VMs; does nothing against most malware that don't like VMs. literally the worst of both worlds lol
Wrong. It does something against malware that doesn't like VMs. Those malware just weren't built sophisticatedly enough to care about VMs or AVs. Which is why most of them fail just against Windows Defender. Scarecrow really seems like a great idea, just not for anyone who isn't targeted by really clever people.
@@KamiFrost99 just a touch of wisdom: most modern malware will use hard flags that this program cannot replicate, like checking cpuid leaf for common hypervisors. if a person who made a malware actually cared about being detected on vms, they wouldn't implement techniques that aren't as blind as looking for random processes. a good example of what malwares do (although it's very outdated) is a project called pafish, these cannot be replicated by a simple user-mode application and would require a kernel driver that hooks into core parts of the windows kernel to fake these values.
Startups like to do this thing where they collect user data to show Venture Capitalist firms/individuals that their service has "X amount of users" or some bs. It does actually translate into higher valuations for startups, so that is why they do it. I recommend using fake info for this type of data phishing.
You know what I like about your videos? You just post desktop and get straight to the point. You also pump out content frequently. Subbing to you today and should have done it sooner - thanks for the fun videos!
honestly i think client security on games heavily hurts server security which actually matters because you can bypass server security but you can never really break it like you can with client
in my time reverse engineering, i've found that software cares more about stopping incompetent attackers by making things annoying to do, rather than actually making something difficult.
Honestly this is an absolutely brilliantly hilarious idea, I love it! It's almost like dressing up as a robber and grabbing your TV once you hear someone trying to break into your house and being like "Ooops looks like there's two of us here, while I was here first so yeah" lol 😂
@@intron9 Like parking an unmarked van with obvious looking set of antennas and dishes in the roof. While also paying someone to circle the block with an icecream truck every 30 minutes.
this is going to be REALLY fun to get installed on school computers and then people can't take tests on the computers and the techs can't figure out why safe browser won't install
i dont think a single person has ever actually cheated by tricking safe browser, real cheaters likely use a phone thats 10 times easier to hide, more plausible deniability if caught like trying "my dying aunt is calling me" and a whole list of usual social engineering things real cheaters do that are way harder to get away with if you open up stuff on the monitored computer
@@jankus5133schools (and even my college professors) are using stuff like that for at-home exams anyway. It gives a false sense of security, but maybe it at least scares some students into not cheating
@@xinaesthetic i'd say its a yellow flag, its very easy to make backdoors and bypasses if evil people can just read the entire source code, while at the same time we dont know what the actual intentions are of the program
Okay but the idea of malware developers changing up their malware to check for scarecrow is kinda funny. Because if you then run scarecrow in a virtual machine it would trick the malware into running... Which is kind of the literal opposite of what it was intended to do
CATCH TWENTY TWO malware in vm -> doesnt attack since it thinks its in a vm malware in scarecrow -> doesnt attack since it thinks its in a vm malware-ignoring-scarecrow in scarecrow vm -> doesnt recognize it being a vm
@@Conventil Not a catch 22. Needing working experience to be able to apply for a job, While not being able to get said experience because you'd need the job first, Is a model example of a catch 22. For something to be a catch 22, you need multiple paths. What you described collapses into one. (you can see that by observing that you only used "malware-ignoring-scarecrow" once) (scarecrow ends up nullifying the "vm" variable, etc.)
@@raymondableIf malware can distinguish between “normal VM” and “normal”, and between “VM” and “non-VM scarecrow”, but can’t distinguish between “VM scarecrow” and “non-VM scarecrow”, then if they suspect that “scarecrow” indicates “non-VM scarecrow”, they might continue running if “VM with scarecrow” ?
I’ve really discovered that windows defender is the only thing you really need. If it’s getting around windows defender, it’s getting around basically whatever you’ve got
Harmful thinking. That's why open source antiviruses not supported generally. Malware devs okay can see the code but open source community can fix this in short time.
@@hydradragonantivirus agree, if I have a lock on my door I rather have every smart guy out there with a copy of it so that they can improve upon it and ship updates instead of buying a master lock and having the company said it's super strong and unbreakable when in reality it's just trash.
Unless you have a billion in bitcoin, are wanted by nsa or are using a 15 year old unpatched cracked license hyper visor, the odds someone would risk an exploit like that (worth hundreds of thousands if not millions ) on you is astronomical
a non-open source, "anti malware" program seems like exactly the way to get malware onto someone who's a little tech savvy but not really tech savvy's computer.
if this becomes popular then it will be straightforward to counter, Simply check for scarecrow, look at the processes directory, analyze the process, etc
but then you could use it as bait for a honeypot, to get advanced malware to run in a VM when it was designed not to. if that developer checks for scarecrow, you could install it in a VM on your honeypot server to trick the malware into thinking it's running on bare metal.
@@tissuepaper9962 It's unlikely to be the only factor considered by malware. Other system attributes, such as the presence of a GPU, would also be evaluated. Scarecrow serves as a preliminary checkpoint, triggering a deeper scan if necessary. In other words, malware may use Scarecrow as a initial indicator that the system is potentially a virtual machine or a sandbox environment, and if so, it will likely proceed to scan for other signs or attributes that would confirm its suspicions. For example, the malware may then check for the presence of specific files or directories associated with virtualization software, or inspect the system's memory usage patterns to determine if they are consistent with a virtualized environment. If these additional checks reveal evidence that suggests the system is indeed a virtual machine or sandbox
but you can then install scarecrow as bait inside a VM, which tricks advanced malware into running when it's not supposed to, which can boost reverse-engineering and cracking of the virus if a malware researcher is doing this.
A simple VM check is to see if SMART attributes can be read... But for userland software, a file recency check to ensure that there are both new and old files on the system
Probably has no use in this case, but i like how were able to see his license key, which usually a attacker would be looking for to steal things haha, like passwords, emails, tokens and whatever else you may have on your computer
This reminds me of some Worm virus on XP that if it detected that you have the .EXE file, it won't infest you, so you could just put a fake .txt file and mask it to pretend it to be the worm virus, and it won't do anything to you lol
I do have a question. Why does the checks for the PySilon not include checks for drivers like the VFIO drivers? They are the ones commonly used in QEMU/KVM. My gaming VM has none of the blacklisted processes or files and I am not even hiding the fact that it is a VM.
Regarding your comment of detecting fake vms by checking if multiple tools (ex. vbox guest additions and vmware user) are running, a real vm could also use multiple fake tools to trick the malware into thinking its an fake vm, or is my logic flawed?
Not super familiar with anti-VM actions by software, but there are a ton of ways to detect whether you're in a VM. My guess is that most software just uses #1 and #4 below because they can be easily implemented. 1. Check the CPU, CPU flags, and core configuration -- the CPU model string and CPU flags, such as the 'hypervisor' flag; as well as the processor core configuration 2. Check the DMI, SMBIOS, and ACPI information -- BIOS vendor: SeaBIOS, VMware, OVMF; mainboard vendor, memory vendor and model, etc. 3. Check the PCI and USB devices -- this is probably the most difficult part to spoof when attempting to masquerade a VM as a real machine-- even if you use full host passthrough mode and use fully emulated devices for ethernet, disk, and sound, there will likely be an emulated VGA device and emulated keyboard/pointer devices, which would be easy to check for 4. Checking for guest agents (vbox tools, vmware tools, QEMU guest agent, etc.) -- which to me is probably the laziest way and the easiest to defeat. If that is the only thing that Cyber Scarecrow is doing, it's basically useless as mentioned.
Such things existed years ago when I just stepped into this field. The reason why they didn't become popular is that they don't work. VMs are so common nowadays that I rarely run into samples allergic to VMs anymore. In simple words, do not use this. Even worse, it's closed source. It's not trustworthy AND not useful.
Hotmud as jnawk said not being open source only delays the reverse engineering process it doesn’t make it impossible any program you can download can be torn apart and reverse engineered your statement breeds a lot of misinformation and can be indirectly harmful
It is definitely a good idea, but not every malware needs to be vm protected, since it usually is the same thing with some extra junk code and a different name
I'm curious, do you have any good ways to monitor USB traffic for malicious activity? I have to regularly bring in new hardware like keyboards or mice into the enterprise and test and validate them, but I'm struggling to find some straight forward techniques apart from ripping these devices apart to look for unusual usb controllers or hoping if there is anything that the AV picks it up within our dev environments when I'm testing lol - - I do a basic review with process Explorer, and also start a ProcMon trace just to see if anything stands out but I think my trace might be too broad for it. Any advice?
Never thought of it, might be possible (with some sort of specialized software setup) to debug a usb controller. What kind of attacks are you dealing with (hidden keylogger, slipping malware into files?)
If you regularly get the same models of keyboard or mice you could use a USB power meter along with accuate scales. A modified device would draw more power and weigh more than the unmodified version
given just about anything has a microcontroller in it, and they can say anything, I feel like the only secure peripherals would be ones you loaded trusted firmware on yourself (as an organization). Good reason to get your company to approve custom mech keyboards.
3:05 Ah... interesting. Good that I uh... haven't done that yet... ever. Imagine if I looked at their open source repo, found the specific file that detects VMs, removed an if statement, and then took an entrance exam on it just because I could. That'd be wacky.
Question for Mr Parker. What microphone do you use? I just noticed that your microphone or audio settings or a mix of both are very nice. I was listening to music prior to viewing your video and even at a high volume, it didnt hurt my ear.
8:48 sea of thieves, we're sailing with the team. we're headed up north as far as the eye can see. we're care-free, we have no need to flee. i hit a skeleton with my (slice) banshee!
I think his choice of malware sources really has a lot of selection bias here - It's junk targeted at people who will disable defender, it's already detected and well known how it works...
I just opened Safe Exam Browser in dnSpy and just removed all of the anti-tab and all of the other features so that’s one way for those who are still in school.
This thing might be perfect when we modified the core count, disk name, gpu driver name, motherboard name and other hardware replaced into vmware or vbox stuff
Hiya. Whats the software that you are using there to track network requests? Is that a system that is using the wireguard key to tunnel all traffic through that application? If so its pretty cool!
If this takes off enough (or the technique does) then it might get used by regular people to scare off malware and it might get used by security analysts to re-enable malware that they are trying to analyze that has been updated to detect it and think the VM flags are fake.
I mean, I cheated my way through exam software pretty easily. It was there to stop me cheating on tests in an online class...and since I was at home I just pulled out my phone and googled the answers. I had more trouble because it was difficult to google the answers to obscure astrophysics questions than because some software thought it could "control my machine."
Cool in concept but I have my doubts that it'll ever be useful. As you said it will most likely stop you from using something you want to. And they are banking on malware to please only do VM detection and not start detecting Scarecrow.
it may work against good malware, not the malware found on youtube aimed at kids. They dont care if you detect it or anything, they just wanna collect info
"We wont share it or send you spam" is *supposed to* mean "we'll send rare emails, but not often enough to be annoying." If they stick to it and send like, an email per year, or for every major update etc that's not spam. That's like, what mailing lists are for. Spam is when you're on hundreds of mailing lists, and don't care about any of it, or a few of the lists break bad and just fill your inbox.
Great idea until the malware writer checks to see if this is installed. I'm guessing checking digital signatures of VM guest exes/libraries would be one way to circumvent this.
i love the idea of an anti-malware "spooking" malware away, just like
"boo, i'm running vbox tools"
"aaah, goodbye"
aaaaaaaaaaaaaaaaaaaah. scary :(
😂😂
I love its just crossing its fingers and praying that running stupid processes will stop it from doing anything
Turns out this is why certain religious symbols used to work on demons, they were just the physical spoofs of vbox tools in reality, convincing them that the developers were online and checking for bugs...
malware that does not care if its in a vm :🤣🤣🤣🤣🤣
it also scares off valorant
Ergo it's doing its job.
anything scares that spyware piece of sh!t
It's for our own good. 😢
@@ottergauzeYep, scaring off malware.
"Win Win"
"we will not share it, or send you spam" tf you want my email and name for then?
From their FAQ: we ask you to share your email address with us so that we can contact you in the future about scarecrow.
@@kujjiiso send spam :/
@@kujjii So, spam
they don't want to send you spam they just want to send you spam
@@TheBoostedDoge I am not defending them, just trying to give my opinion. They say that they wont send any spam, but you are still giving out your email address so its up to you to decide if you want to give it to them. I personally would not give them my information but you have to keep in mind, getting an email every few months about updates is not necessarily considered 'spam'. Its still weird and i wouldnt trust them.
cyber scarecrow is so scary that Eric put it in a real VM just in case.
Yes. Wasn't because he was actively trying to run other malware with it or anything...
@@KamiFrost99 he could easily format the system after testing
But he cant Test this inside a VM @@KamiFrost99
@@KamiFrost99 See, when you're trying to test if a tool successfully masks some presence as another, it helps when you're not already running the other thing in the first place.
@OzixiThrill Yeah, good point. When you think about it, he kinda executed the whole thing wrong.
He was testing Scarecrow in a VM (1) and ran malware that also wouldn't care to detect for such things (2).
summary: prevents you from loading legitimate applications that don't like VMs; does nothing against most malware that don't like VMs. literally the worst of both worlds lol
If your software doesn't like VMs maybe it wasn't worth having it in the first place
Wrong. It does something against malware that doesn't like VMs. Those malware just weren't built sophisticatedly enough to care about VMs or AVs.
Which is why most of them fail just against Windows Defender.
Scarecrow really seems like a great idea, just not for anyone who isn't targeted by really clever people.
@@KamiFrost99 just a touch of wisdom: most modern malware will use hard flags that this program cannot replicate, like checking cpuid leaf for common hypervisors. if a person who made a malware actually cared about being detected on vms, they wouldn't implement techniques that aren't as blind as looking for random processes. a good example of what malwares do (although it's very outdated) is a project called pafish, these cannot be replicated by a simple user-mode application and would require a kernel driver that hooks into core parts of the windows kernel to fake these values.
wrong. if programs that don't like vms won't start, malware that doesn't like vms wouldn't run either.
@@JackieJKENVtuber maybe, but I still wanna play Diablo 2 without getting banned
Startups like to do this thing where they collect user data to show Venture Capitalist firms/individuals that their service has "X amount of users" or some bs. It does actually translate into higher valuations for startups, so that is why they do it. I recommend using fake info for this type of data phishing.
You know what I like about your videos? You just post desktop and get straight to the point. You also pump out content frequently. Subbing to you today and should have done it sooner - thanks for the fun videos!
don't say pump out content, those are disparaging words
it also scares off games
It is so dumb that anti-cheats think blocking obvious virtual machines does anything to stop cheaters
honestly i think client security on games heavily hurts server security which actually matters because you can bypass server security but you can never really break it like you can with client
in my time reverse engineering, i've found that software cares more about stopping incompetent attackers by making things annoying to do, rather than actually making something difficult.
It's just malware disguised as a game
Games with these types of "anti cheats" will never see a dime from my wallet.
@@kran27_ Adding to this: according to Steamworks documentation, Valve's own DRM is easy to defeat for a dedicated attacker!
Honestly this is an absolutely brilliantly hilarious idea, I love it! It's almost like dressing up as a robber and grabbing your TV once you hear someone trying to break into your house and being like "Ooops looks like there's two of us here, while I was here first so yeah" lol 😂
Hmm , it's more like making the house look like a set-up.
@@intron9 Like parking an unmarked van with obvious looking set of antennas and dishes in the roof. While also paying someone to circle the block with an icecream truck every 30 minutes.
this is going to be REALLY fun to get installed on school computers and then people can't take tests on the computers and the techs can't figure out why safe browser won't install
I like to think of it as installing security cameras at a store that aren't plugged in to anything (which companies actually do)
Funnily enough, a lot of advance malware does check for existing malware! However, they usually attempt to kill it to have the machine for themselves.
It would actually be cool if everyone would install it. Then software devs would abandon VM checks if everyone use it for extra security.
they'd just implement better checks, as another commenter said, you can detect the synchronization of the host cursor to the guest cursor
@@tedbasher3000 Make this scarecrow emulate random host to guest cursor syncs when it detects computer idle. Then they can't rely on that anymore.
I doubt this increases rdtsc timings to spoof vmexit
@@bait6571 so what? This is hypothetical
@@nothappyz and following that hypothetical, they'd move onto better detection methods.
>PC name is lain
Oh this guy a serious programmer
real
I call my thinkpads "mainframe" 🥴
I wish a coplandOS distro or desktop environment existed lmao
lain is the name of the user account
we should all love lain
they took your advice and actually made a direct download
nice meru the succubus pfp
@@Daniel-fn7ky thanks, i take pride in it
At least you get praised,@@doorible.
I get questioned lol.
Based Meru pfp
gooner pfp 👅
That "Safe Exam Browser" thing is a joke anyway. Defeating it is as easy as using a second device.
It is intended for kiosks and computer labs. It obviously provides laughable security in the home environment.
i dont think a single person has ever actually cheated by tricking safe browser, real cheaters likely use a phone thats 10 times easier to hide, more plausible deniability if caught like trying "my dying aunt is calling me" and a whole list of usual social engineering things real cheaters do that are way harder to get away with if you open up stuff on the monitored computer
@@jankus5133It's advertised for home use too... Which is funny
@@jankus5133 This.
@@jankus5133schools (and even my college professors) are using stuff like that for at-home exams anyway. It gives a false sense of security, but maybe it at least scares some students into not cheating
* scares them in linux *
that's actually pretty cool, the issues you talked about in the start are pretty big tho.
Yeah something like that not being open source is a big red flag I'd say.
@@xinaesthetic i'd say its a yellow flag, its very easy to make backdoors and bypasses if evil people can just read the entire source code, while at the same time we dont know what the actual intentions are of the program
Okay but the idea of malware developers changing up their malware to check for scarecrow is kinda funny.
Because if you then run scarecrow in a virtual machine it would trick the malware into running...
Which is kind of the literal opposite of what it was intended to do
but it would be really useful for honeypots.
CATCH TWENTY TWO
malware in vm -> doesnt attack since it thinks its in a vm
malware in scarecrow -> doesnt attack since it thinks its in a vm
malware-ignoring-scarecrow in scarecrow vm -> doesnt recognize it being a vm
@@Conventil Not a catch 22.
Needing working experience to be able to apply for a job,
While not being able to get said experience because you'd need the job first,
Is a model example of a catch 22.
For something to be a catch 22, you need multiple paths. What you described collapses into one.
(you can see that by observing that you only used "malware-ignoring-scarecrow" once)
(scarecrow ends up nullifying the "vm" variable, etc.)
As shown in the video, some malwares don't run if it detects a VM, if Scarecrow bypasses that, wouldn't it be quite useful for some people?
I agree, it is a REALLY cool idea to pose as malware researcher to prevent malware from running on your computer
windows username lain.
well. can't say I'm too surprised. nice detail.
what it means?
@@furkanyldz8460 It's a reference to the very avant-garde anime Serial Experiments Lain.
Ohhh, nice catch
@@downloadableram2666 thanks for info - i'm going to check anime , its seems very interesting
youtube veteran detected 😯
1:30 what if securety people just installed scarecrow in a VM to trick malware into disabling checks lol?
Scarecrow only spoofs non-VMs into appearing to be VMs. It cannot disable the VM checks as it's only designed to enable them.
@@raymondable he says "I hope malware people add a check for scarecrow that disables the vm checks"
I changed timestamp
@@raymondableIf malware can distinguish between “normal VM” and “normal”, and between “VM” and “non-VM scarecrow”, but can’t distinguish between “VM scarecrow” and “non-VM scarecrow”, then if they suspect that “scarecrow” indicates “non-VM scarecrow”, they might continue running if “VM with scarecrow” ?
What is a VM
He's a genius. Instant promotion to head of NSA. Congrats
0:46 "i don't like installing something this deep that isn't open source" *uses windows*
I’ve really discovered that windows defender is the only thing you really need. If it’s getting around windows defender, it’s getting around basically whatever you’ve got
Eric: *wants to show a technology that may or may not make viruses shot down on their own.*
Windows defender: "Let me handle this for you"
The fact that it's not open source sets off some red flags for me. Absolutely nope-ing out right here.
"I couldn't run Valorant"
Well that suggests that Scarecrow does prevent malware from running?
i couldn't believe that he used personal email instead of a temp mail xD
I do it too
@@Asik_jasterek Sorry but I can't help you with that. Your profile picture may be inappropiate.
He said his info was already publicly online, so it doesn’t matter
@@theandroidsdarkside even then you're better off minimizing your presence
Could it also not be Open source because they do not want Malware devs to look at the code and Notice it?
The binaries are more useful than the source for that. Assuming I wanted to check whether the fake vmware process matched what scarecrow shipped.
they're using a language that can be reversed easily, no obfuscation
Harmful thinking. That's why open source antiviruses not supported generally. Malware devs okay can see the code but open source community can fix this in short time.
@@hydradragonantivirus agree, if I have a lock on my door I rather have every smart guy out there with a copy of it so that they can improve upon it and ship updates instead of buying a master lock and having the company said it's super strong and unbreakable when in reality it's just trash.
Could you make a video about malware escaping VMs? I heard it was possible but quite extremely rare.
It's only possible if there is a vulnerability in the hypervisor
I thought it would more often escape using the network
@@awesomekalin55 never thought of that for some reason
Unless you have a billion in bitcoin, are wanted by nsa or are using a 15 year old unpatched cracked license hyper visor, the odds someone would risk an exploit like that (worth hundreds of thousands if not millions ) on you is astronomical
Yes, I would also like seeing that kind of video
The email adress stuff is now optional, there's a "Or skip to direct download here" button.
dudes accent visited every former british colony
I thought i was going crazy
a non-open source, "anti malware" program seems like exactly the way to get malware onto someone who's a little tech savvy but not really tech savvy's computer.
if this becomes popular then it will be straightforward to counter, Simply check for scarecrow, look at the processes directory, analyze the process, etc
but then you could use it as bait for a honeypot, to get advanced malware to run in a VM when it was designed not to. if that developer checks for scarecrow, you could install it in a VM on your honeypot server to trick the malware into thinking it's running on bare metal.
@@tissuepaper9962 It's unlikely to be the only factor considered by malware. Other system attributes, such as the presence of a GPU, would also be evaluated. Scarecrow serves as a preliminary checkpoint, triggering a deeper scan if necessary. In other words, malware may use Scarecrow as a initial indicator that the system is potentially a virtual machine or a sandbox environment, and if so, it will likely proceed to scan for other signs or attributes that would confirm its suspicions.
For example, the malware may then check for the presence of specific files or directories associated with virtualization software, or inspect the system's memory usage patterns to determine if they are consistent with a virtualized environment. If these additional checks reveal evidence that suggests the system is indeed a virtual machine or sandbox
@@tissuepaper9962 So it turns into yet another game of cat and mouse.
@@black_m1n825 always has been
"its not open source" Eric cried while booting up his windows computer.
If this also were to become prevelant, what would stop amy halfway sophisticated malware developer for just checking if Scare Crow was installed.
but you can then install scarecrow as bait inside a VM, which tricks advanced malware into running when it's not supposed to, which can boost reverse-engineering and cracking of the virus if a malware researcher is doing this.
man i feel like your content is increasing in quality, keep it up!
also i really love the 30 minutes malware videos, they always cheer me up.
A simple VM check is to see if SMART attributes can be read... But for userland software, a file recency check to ensure that there are both new and old files on the system
Wouldn't that trigger on any newly installed/ bought system?
Oh wow! I was thinking of this some moments ago and then I see you posted a video about it. GG 😊
The idea is really cool, I would like to someday see an open source version and one I could use on Linux.
Probably has no use in this case, but i like how were able to see his license key, which usually a attacker would be looking for to steal things haha, like passwords, emails, tokens and whatever else you may have on your computer
This video is so scary is scared away all youtube ads in my language
6:05
14.1 MB binaries to do nothing is fucking insane LOL
Great vid, let’s all love Lain
This reminds me of some Worm virus on XP that if it detected that you have the .EXE file, it won't infest you, so you could just put a fake .txt file and mask it to pretend it to be the worm virus, and it won't do anything to you lol
Kind of strange, when youre pretending to be a virtual machine.. while *possibly* being a virtual machine.
1:30 are you running software that pretenda that your pc is vm inside actual vm? Wouldn't then all thw software you tested detect the actual vm?
Why the heck is this RUclips channel so good
I do have a question. Why does the checks for the PySilon not include checks for drivers like the VFIO drivers? They are the ones commonly used in QEMU/KVM. My gaming VM has none of the blacklisted processes or files and I am not even hiding the fact that it is a VM.
That's why competition is healthy, even between anti virus and malware. You always try something new
Regarding your comment of detecting fake vms by checking if multiple tools (ex. vbox guest additions and vmware user) are running, a real vm could also use multiple fake tools to trick the malware into thinking its an fake vm, or is my logic flawed?
That's exactly what I was thinking. If you want to analyze malware that you know checks for scarecrow, you can install scarecrow on the VM
What a pain in the ass malware is, to have to resort to this level. I hate reality.
Not super familiar with anti-VM actions by software, but there are a ton of ways to detect whether you're in a VM. My guess is that most software just uses #1 and #4 below because they can be easily implemented.
1. Check the CPU, CPU flags, and core configuration -- the CPU model string and CPU flags, such as the 'hypervisor' flag; as well as the processor core configuration
2. Check the DMI, SMBIOS, and ACPI information -- BIOS vendor: SeaBIOS, VMware, OVMF; mainboard vendor, memory vendor and model, etc.
3. Check the PCI and USB devices -- this is probably the most difficult part to spoof when attempting to masquerade a VM as a real machine-- even if you use full host passthrough mode and use fully emulated devices for ethernet, disk, and sound, there will likely be an emulated VGA device and emulated keyboard/pointer devices, which would be easy to check for
4. Checking for guest agents (vbox tools, vmware tools, QEMU guest agent, etc.) -- which to me is probably the laziest way and the easiest to defeat. If that is the only thing that Cyber Scarecrow is doing, it's basically useless as mentioned.
Such things existed years ago when I just stepped into this field. The reason why they didn't become popular is that they don't work. VMs are so common nowadays that I rarely run into samples allergic to VMs anymore.
In simple words, do not use this. Even worse, it's closed source. It's not trustworthy AND not useful.
The best cyber scarecrow is just Windbg. Every malware fears a debugger
The fact that it’s not open-source is good, as virus creators won’t be able to reverse engineer it and just make their viruses immune.
What a load of crap. To anyone who understands machine code, all software is open source.
Hotmud as jnawk said not being open source only delays the reverse engineering process it doesn’t make it impossible any program you can download can be torn apart and reverse engineered your statement breeds a lot of misinformation and can be indirectly harmful
Woo! Thanks for making this video
Honestly, running loonix makes more sense at that point. Runs better, less parties to trust, less bloat 👍
It is definitely a good idea, but not every malware needs to be vm protected, since it usually is the same thing with some extra junk code and a different name
I WAS THINKING OF THIS EXACT SAME THING JUST A WEEK AGO.
I GOT RECOMMENDED THIS VIDEO TODAY.
I AM ABSOLUTELY TERRIFIED OF THE UNKNOWN MEANING OF THIS.
This is a cooler version of keeping task manager open in the background to keep btc miners from running
If "legitimate" software doesn't like being tracked what it's doing, likely it's doing something you don't want to see.
I'm curious, do you have any good ways to monitor USB traffic for malicious activity? I have to regularly bring in new hardware like keyboards or mice into the enterprise and test and validate them, but I'm struggling to find some straight forward techniques apart from ripping these devices apart to look for unusual usb controllers or hoping if there is anything that the AV picks it up within our dev environments when I'm testing lol - - I do a basic review with process Explorer, and also start a ProcMon trace just to see if anything stands out but I think my trace might be too broad for it. Any advice?
Never thought of it, might be possible (with some sort of specialized software setup) to debug a usb controller. What kind of attacks are you dealing with (hidden keylogger, slipping malware into files?)
If you regularly get the same models of keyboard or mice you could use a USB power meter along with accuate scales. A modified device would draw more power and weigh more than the unmodified version
given just about anything has a microcontroller in it, and they can say anything, I feel like the only secure peripherals would be ones you loaded trusted firmware on yourself (as an organization).
Good reason to get your company to approve custom mech keyboards.
I had a similar idea many years ago. What I thought of was to look at the Red Pill code... If my memory serves I called it Lyrebird.
3:05 Ah... interesting. Good that I uh... haven't done that yet... ever. Imagine if I looked at their open source repo, found the specific file that detects VMs, removed an if statement, and then took an entrance exam on it just because I could. That'd be wacky.
Great video, throughly enjoyed this one
I like the idea - maybe if they had some kind of way of having this built into windows for unknown apps...
I recently discovered you channel and I love it. Any video on VM escaping worms anytime soon?
The only issue is that some malware will detect 'virtualization' and just nuke the system entirely or bloat itself to fill the drive
Question for Mr Parker. What microphone do you use? I just noticed that your microphone or audio settings or a mix of both are very nice. I was listening to music prior to viewing your video and even at a high volume, it didnt hurt my ear.
8:48 sea of thieves, we're sailing with the team. we're headed up north as far as the eye can see. we're care-free, we have no need to flee. i hit a skeleton with my (slice) banshee!
what we learned today: some malware developers don't care about VMs and windows defender has got hands
I think his choice of malware sources really has a lot of selection bias here - It's junk targeted at people who will disable defender, it's already detected and well known how it works...
The stupidest thing the hacker community has done is sparing VMs. The reason they throw at you for that is absurdly stupid and this is suspicious
They have recently added a "Or skip to direct download here" button. No signup required.
I just opened Safe Exam Browser in dnSpy and just removed all of the anti-tab and all of the other features so that’s one way for those who are still in school.
This thing might be perfect when we modified the core count, disk name, gpu driver name, motherboard name and other hardware replaced into vmware or vbox stuff
I CAN'T GET OVER THIS. IT'S LIKE A DIGITAL SCARECROW. AND IT WORKS.
Best product, prevents you from accidentally contracting Riot anti cheat
This is so stupid but actually so smart at the same time
me when viruses give u a bsod when you're running it on a vm:
Hiya. Whats the software that you are using there to track network requests? Is that a system that is using the wireguard key to tunnel all traffic through that application? If so its pretty cool!
Pro: It stops anti-cheat from running.
If this takes off enough (or the technique does) then it might get used by regular people to scare off malware and it might get used by security analysts to re-enable malware that they are trying to analyze that has been updated to detect it and think the VM flags are fake.
I mean, I cheated my way through exam software pretty easily. It was there to stop me cheating on tests in an online class...and since I was at home I just pulled out my phone and googled the answers. I had more trouble because it was difficult to google the answers to obscure astrophysics questions than because some software thought it could "control my machine."
Cool in concept but I have my doubts that it'll ever be useful.
As you said it will most likely stop you from using something you want to.
And they are banking on malware to please only do VM detection and not start detecting Scarecrow.
Plot twist: The malware tricked you after opening it.
To defeat: Check to see if both vbox and vmware is installed. Assume scarecrow is running if both are.
The idea is pretty interesting but the execution by this 'scarecrow' thing looks pretty shoddy
I really hate that everything nowadays wants my email for no good reason
this is such an incredible niche edge case way of dealing with malicious software lmao why
0:33 well well well, that's a very deep well
Its like keeping your task manager open to stop crypto miners
i thought about adding a Russian keyboard to my computer as a "scarecrow".
Malware (Waluigi voice): Wahh! I will steal all your info
**Thinks is in a vm**
Malware: Bye have a great time...
**PS2 Boot up sound**
uh ohh stinkyy
it may work against good malware, not the malware found on youtube aimed at kids. They dont care if you detect it or anything, they just wanna collect info
The user is Lain? Seems fitting.
Of course it scares off Valorant, it's made to protect you
Like a real scarecrow, it only works sometimes
"We wont share it or send you spam" is *supposed to* mean "we'll send rare emails, but not often enough to be annoying."
If they stick to it and send like, an email per year, or for every major update etc that's not spam. That's like, what mailing lists are for. Spam is when you're on hundreds of mailing lists, and don't care about any of it, or a few of the lists break bad and just fill your inbox.
3:44 "borrow" ah yes the classic programmer term for stealing lmfao
Great idea until the malware writer checks to see if this is installed.
I'm guessing checking digital signatures of VM guest exes/libraries would be one way to circumvent this.
you need to update the videos in the "More Malware Investigation Videos" section to be more recent malware themed ones