return to table of content

Cyber Scarecrow

scosman
55 replies
10h4m

Fun concept.

If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.

CyberScarecrow
32 replies
9h35m

Author of cyber scarecrow here. Thank you for your feedback, and you are 100% right. We also dont have a code signing certificate yet either, they are expensive for windows. Smartscreen also triggers when you install it. Id be weary of installing it myself as well, especially considering it runs as admin, to be able to create the fake indicators.

I have just added a bit of info about us on the website. I'm not sure what else we can do really. Its a trust thing, same with any software and AV vendors.

AnthonyMouse
7 replies
7h28m

We also dont have a code signing certificate yet either, they are expensive for windows.

When someone is offering you a certificate and the only thing you have to do in order to get it is pay them a significant amount of money, that's a major red flag that it's either a scam or you're being extorted. Or both. In any case you should not pay them and neither should anyone else.

a1o
1 replies
4h52m

This looks like a random website and not a Microsoft website. How could I trust such list?

DougN7
2 replies
6h28m

Besides paying money you also go through a (pretty simplistic) audit. It’s about the only way we have to know who published some code, which is important. If you can come up with a better way you should implement it and we’ll all follow.

As a side note, I’ve been trying to figure out how to get an EV code signing cert that isn’t tied to me (want to make a tool Microsoft won’t like and don’t want retaliation to hurt my business) but I haven’t come up with a way to do it - which is a good thing I suppose.

hunter2_
1 replies
3h56m

Can you have someone else go through the process of getting it, like a Craigslist rando to whom you pay cash?

wongarsu
0 replies
1h42m

If said Craigslist rando likes getting police visits and potentially being criminally liable for helping you commit a felony ...

All code signing promises to give you the name of a real person or company that signed the binary. From there it's the end user's responsibility to decide if they trust that entity.

In practice the threat of the justice system makes any signed executable unlikely to be malicious. But that doesn't mean you have to uncritically trust a binary signed by Joe Hobo

hluska
0 replies
5h29m

There’s an audit to go through where you (sort of) prove who you are. The system isn’t great, but if you can come up with something better there’s a lot of space to make software more secure for people.

Z7YCx5ieof4Std
6 replies
9h17m

Is it possible to fake being from Russia. I heard some malware won't install on computers from Russia or with the Russian language as primary language

CyberScarecrow
1 replies
9h15m

Great idea. Looking at installing an additional keyboard or language with out it being anoying to the user is next on the feature list.

llama_drama
0 replies
8h41m

This might be not a good idea. There are some reports of malware (npm packages, iirc) specifically targeting russian computers since the invasion

whaleofatw2022
0 replies
3h49m

Russia has serious penalties for hacking their citizens.

Not for hacking non citizens

kozak
0 replies
8h25m

And be targeted by cyberwarfare from the first-world side.

DougN7
0 replies
6h32m

Or has the Russian keyboard installed, even if not used IIRC.

eganist
3 replies
2h42m

It's a neat concept, although I imagine this'll be a cat and mouse endeavor that escalates very quickly. So, a suggestion - apply to the Open Technology Fund's Rapid Response Fund. I'd probably request the following in your position:

* code signing certificate funding

* consulting/assessment to harden the application or concept itself as well as to make it more robust (they'll probably route through Cure53)

* consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.

If you wanted to fund this in some way without necessarily doing the typical founder slog, might make sense to 501c3 in the US and then get funded by or license this to security tooling manufacturers so that it can be embedded into security tools, or to research the model with funding from across the security industry so that the allergic reaction by malware groups to security tooling can be exploited more systemically.

I imagine the final state of this effort might be that security companies could be willing to license decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key.

CodeWriter23
1 replies
1h4m

decoy versions of their toolkits to everyone that are bitwise identical to actual running versions but then activate production functionality with the right key

I kinda think this functionality could be subverted into a kill switch for legit-licensed installs simply by altering the key.

eganist
0 replies
7m

I mean, the existing licensing mechanisms can be similarly abused.

sangnoir
0 replies
1h8m

consulting/engineering to solve for the "malware detects this executable and decides that the other indicators can be ignored" problem, or consulting more generally on how to do this in a way that's more resilient.

This would be a boon for security folk who analyze/reverse malware: they can add/simulate this tool in their VMs to ensure the malware being analyzed doesn't deactivate itself!

efilife
2 replies
8h49m

It ceases to be a trust thing once you open source the code

wongarsu
1 replies
1h37m

In a world where everybody builds from source or downloads from a trusted build service

shadowgovt
0 replies
1h14m

... and trusts their entire toolchain hasn't been compromised.

yamakadi
0 replies
7h22m

I’m sure it’s closed source for the eventual plans to monetize it, but what’s the real difference to something like https://github.com/NavyTitanium/Fake-Sandbox-Artifacts and why can’t you at least name yourselves?

Not many software promises to fend off attackers, asks for an email address before download, and creates a bunch of processes using a closed source dll the existence of which can easily be checked.

Then again, not many malware targeting consumers at random check for security software. You are more likely to see a malware stop working if you fake the amount of ram and cpu and your network driver vendor than if you have CrowdStrike, etc. running.

twixfel
0 replies
6h37m

There are things that you can do that make you seem trustworthy, and you've done none of them.

rft
0 replies
2h20m

Concerning code signing: Azure has a somewhat new offering that allows you to sign code for Windows (SmartScreen compatible) without having an EV cert. It is called "Trusted Signing" [1], non-marketing docs [2]. The major gotcha is that currently you need to have a company or similar entity 3 years or older to get public trust. I tried it with a company younger than 3 years and was denied. You might have a company that fits that criteria or you might get lucky.

The major upside is the pricing: currently "free" [3] during testing, later about 10 USD/month. As there doesn't seem to be a revocation mechanism based on some docs I read, signed binaries might be valid even after a canceled subscription.

[1] https://azure.microsoft.com/en-us/products/trusted-signing

[2] https://learn.microsoft.com/en-us/azure/trusted-signing/quic...

[3] You need a CC and they will likely charge you at some point. Also I had to use some kind of business Azure/MS 365 account which costs about 5 USD/month. Not sure about the exact lingo, not an Azure/MS expert. The docs in [2] was enough for me to get through the process.

px43
0 replies
2h56m

Obviously this should be an open source tool that people can build for themselves. If you want to sell premium services or upgrades for it later, you need to have an open/free tier as well.

Also are you aware of the (very awesome) EDR evasion toolkit called scarecrow? Naming stuff is hard, I get that, but this collision is a bit much IMO.

https://github.com/Tylous/ScareCrow

peter_l_downs
0 replies
25m

One more thing you could do is put the real name of any human being with any track record of professionalism, anywhere on the website. Currently you're:

- commenting under a pseudonymous profile

- asking for emails by saying "please email me. contact at cyberscarecrow.com"

- describing yourself in your FAQ entry for "Who are you?" by writing "We are cyber security researchers, living in the UK. We built cyber scarecrow to run on our own computers and decided to share it for others to use it too."

I frequently use pseudonymous profiles for various things but they are NOT a good way to establish trust.

notreallyauser
0 replies
34m

You're collecting personal info and claiming to be in the UK: identifying the data controller would be a start, both for building trust and complying with GDPR.

kiney
0 replies
9h0m

Not very convincing tbh. Theres's no source code and no real name or company on the website...

hyperific
0 replies
6h15m

Something that would have built trust with me that I didn't find on the site was any mention of success rate. Surely CyberScarecrow has been tested against known malware to see if the process successfully thwarts an attack.

housebear
0 replies
58m

Where is that additional info? It just says you're a group of security researchers, but there are no names, no verifiable credentials, nothing. You haven't really added any info that would contribute to any real trust.

beeboobaa3
0 replies
7h47m

github link? if it's not open source it's dead on arrival

vmfunction
15 replies
9h57m

It is a cat and mouse game. And security by obscurity practice. Not saying it won't work, but if it is open sourced, how long before the malware will catch on?

Here is one on github:

https://github.com/NavyTitanium/Fake-Sandbox-Artifacts

port19
4 replies
7h46m

I'd be willing to bet good money that 99% of malware authors won't adapt, since 99% (more like 99.999%) of the billions of worldwide windows users will not have this installed.

For the cat to care about the mouse it needs to at least be a good appetizer.

ferfumarma
2 replies
6h10m

I think this is a same thing as betting on your own failure: "not enough people will use this for it to be an important consideration for hackers".

Sebb767
1 replies
5h17m

I've worked in companies with horrendous security, where someone with just a bit of SQL injection experience could have easily carried out the data. Yet, since this was a custom in-house application and your off-the-shelve-scanners did not work, this never happened; the only times the servers were hacked was when the company decided to host an (obviously never updated) grandfathered Joomla instance for a customer.

But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)

giobox
0 replies
18m

But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password.

Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.

dylan604
0 replies
5h0m

If I were to run a Windows computer, I wouldn't care what 99.999% of other people didn't do to make their computer safe. If it were something that I could do, then that's good enough for me. However, the best thing one can do to protect themselves from Windows malware is to not use Windows. This is the path I've chosen for myself

xyzzy123
2 replies
9h53m

The really fun part is when malware authors add detections for "fake sandbox" and then real sandbox authors get to add those indicators.

vmfunction
1 replies
6h10m

Look into Windows NT source code that was leaked. The if-else/switch statements in there is just another level of string matching hell. Seems like software development just become "let's jerry rig it to just make it work and forget about it." Pretty sure management (without tech clue) have something to do behaviours like this.

1992spacemovie
0 replies
5h19m

Pretty sure management (without tech clue) have something to do behaviours like this.

Always the same bullshit with you people here. Could never possibly someone built a sub-optimal system -- it HAD to be management fucking with our good intentions!

CyberScarecrow
2 replies
9h23m

Author of scarecrow here. Our thinking is that if malware starts to adapt and check if scarecrow is installed, we are doing something right. We can then look to update the app to make it more difficult to spot - but its then a cat and mouse game.

hluska
0 replies
5h38m

You had an answer canned for one part of the query. Why are you trying to release security software completely anonymously? This is insane - you want an incredible amount of trust from users but can’t even identify a company.

Simply, if users are as intelligent as you think, they’re too intelligent to use your product.

dylan604
0 replies
4h57m

If you think that is what will make it a cat and mouse game instead of understanding it has been a cat and mouse game since the beginning of time, then you're not compelling me into thinking you're very experienced in this space.

self_awareness
0 replies
9h0m

Some malware will catch on, some will not. It's a cost vs profit problem. Statistically, this will always decrease the number of possible malware samples that can be installed on the machine, but by what margin? Impossible to say.

linsomniac
0 replies
6h10m

It's not a cat an mouse game; it's a diver and shark game. In SCUBA training we joked that you had the "buddy system" where you always dive in pairs, because that way if you encounter a shark you don't have to outswim the shark, you only have to outswim your buddy.

A low-effort activity that makes you not be the low-hanging fruit can often be worth it. For example, back in the '90s I moved my SSH port from 22 to ... not telling you! It's pretty easy to scan for SSH servers on alternate ports, but basically none of the worms do that.

boxed
0 replies
9h13m

If windows would have this built in, then it would make malware authors job much more difficult. I like that.

RajT88
0 replies
6h36m

Not just that - it only works on smart malware.

There is plenty of dumb malware.

Security folks seem to get overly focused at times on the most sophisticated attackers and forget about the unwashed hordes.

kazinator
3 replies
7h57m

It’s a random webpage that wants my personal details, and sends me a “exe”.

No different from MacAffee, Trend Micro, Symantec. Oh, but those are brand names you can trust, like Coca-Cola and Kellog's Corn Flakes.

digging
0 replies
2h45m

Besides the obvious points made by others, those are odd choices. I don't trust any of those brands.

diegolas
0 replies
7h11m

well... yes, that's what trust means

Brian_K_White
0 replies
5h36m

You can't spot the super subtle difference between a name with a rep to protect and a no-name?

michaelmior
0 replies
6h54m

The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.

Unfortunately (at least outside of HN) "people who understand what this tool does" probably isn't a subset of "people who would run that "exe"."

HPsquared
0 replies
9h41m

A lot of security stuff is a bit ironic like that. "Give this antivirus software super-root access to your machine".. it depends on that software being trustworthy.

iforgotpassword
10 replies
10h3m

Narrator: and so the arms race continues.

I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.

curtisblaine
6 replies
9h47m

I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.

saagarjha
2 replies
9h39m

Not by much. Probably less effort than you're putting in trying to avoid the malware, so it's a net loss.

xiphias2
1 replies
9h17m

The more scarecrow is installed, the easier it gets for real security researchers to hide from these checks and detect viruses. So actually the dynamic helps security research.

saagarjha
0 replies
6h30m

That's not how this works.

oefrha
2 replies
9h20m

“Sophisticated” detection can be as simple as checking rss and pcpu, the bullshit decoy processes probably aren’t wasting a lot of CPU and RAM, otherwise might as well run the real things; if they are, well, just avoid, who cares. So no, it’s not going to meaningfully complicate anything.

curtisblaine
1 replies
9h3m

Wouldn't that be more fragile though? CPU usage is not constant in time, so if - again - you're not sophisticated enough, you get more false negatives / positives, depending on which side of the heuristic you err.

oefrha
0 replies
8h44m

This is only useful for dragnet malware targeting the masses, where false positives/negatives have low impact to begin with. High value targets can run the real programs if this is proven to have any effect — the average corporate IT can approve some more bloat for security, no problem. Also, you take a sample.

fancythat
2 replies
9h24m

This works, I can confirm. Majority of malware threat running in a VM as a sign of researcher doing the malware analysis.

I am recommending doing this for over 10 years now.

mdip
1 replies
5h39m

That's where I wonder about a tool like this interfering with legitimate software.

For example, I believe the anti-cheat software used by games like Fortnite looks for similar things -- my understanding is that it, too, will refuse to start when it is executing in a VM[0]. As a teenager (90s), I remember several applications/games refusing to start when I'd attached a tracing process to them. They did this to stop exactly what I was doing: trying to figure out how to defeat the software licensing code. I haven't had a need to do that since the turn of the century but I'd put $10 on that still being a thing.

So you end up with a "false positive", and like anti-virus software, it results in "denial of service." But does anti-virus's solution of "white list it" apply here? At least with their specific implementation, it's "on or off", but I wonder if it's even possible to alter the application in a way that could "white list a process so it doesn't see the 'malware defeat tricks' this exposes." If not, you'd just have to "turn off protection" when you were using that program. That might not be practical depending on the program. It's also not likely the vendor of that program will care that "an application which pretends it's doing things we don't like" breaks their application unless it represents a lot of their install base.

[0] I looked into it a few years ago b/c I run Tumbleweed and it's a game the kids enjoy (I'm not a huge fan but my gaming days have been behind me for a while, now) ... I had hoped to be able to expose my GPU to the VM enough to be able to play it but didn't bother trying after reading others' experiences.

fancythat
0 replies
4h13m

You are right, some games, especially multiplayer ones will refuse to work in the VM to prevent cheating, but this is, of course, the business decision on their side. You can always construct the software in such a way that when it detects something suspicious on the system it ceases to function: some copy protections looked up for change in the network card hardware id as developers presumed it is highly unlikely someone will change network interface, but that stopped to be common, when people started using on-board interfaces that change with every motherboard change.

There is also a difference when using commercial stuff such as vmware instead of qemu or virtualbox as open source is more suitable to be tailored to the specific thing, in this case, cheating.

In the end, this approach works well for slowing done malware as there is less risk for normal software to allow working inside of vm in contrast to malware that should be coded to be extra paranoid in order to avoid as many tar pits as possible.

helsinkiandrew
9 replies
10h3m

I would assume there would be a small intersection of people that would download and install a windows program from an unknown web page and those that are worried about malware.

But perhaps I'm wrong

deno
4 replies
9h42m

I know people /plural/ that will happily download cracked antivirus software from a torrent site.

px43
1 replies
3h10m

Many torrent sites have stronger reputation vetting than Microsoft code signing certs.

astrodust
0 replies
17m

I mean you can look at the comments and check the vibe.

pbhjpbhj
0 replies
9h33m

Agree, you should get yourself backdoored by a trustworthy company like Sony. /s

hobs
0 replies
6h35m

That made sense before cryptocurrency, not after.

CyberScarecrow
3 replies
9h20m

Author of cyber scarecrow here. You are right, its a trust thing. Completly understand if people wouldnt want to install it and thats fine. It's the same for any software really. We just havent built up any confidence or trust like a big established company will have.

peddling-brink
2 replies
8h9m

But why not make it open source? Why not identify who you are as humans?

There are ways to establish trust, you aren’t doing any of them.

kaashif
0 replies
5h21m

At this point, the simplest explanation is that it actually is malware. A more credible explanation than security researchers making something that looks this much like malware, but actually isn't.

1oooqooq
0 replies
1h4m

because they know how to sell software. cloused source. for windows. things gov mandate allows plenty of budget. etc.

mafriese
6 replies
8h7m

I don't understand why the software is built how it's built. Why would you want to implement licensing in the future for a software product that only creates fake processes and registry keys from a list: https://pastebin.com/JVZy4U5i . The limitation to 3 processes and license dialog make me feel uncomfortable using the software. All the processes are 14.1MB in size (and basically the scarecrow_process.dll - https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...). I just don't understand why you create such a complex piece of software if you can just use a Powershell script that does exactly the same using less resources. The science behind it only kinda makes sense. There is some malware that is using techniques to check if there are those processes are running but by no means is this a good way to keep you protected. Most common malware like credential stealers (redline, vidar, blahblah) don't care about that and they are by far the most common type of malware deployed. Even ransomware like Lockbit doesn't care, even if it's attached to a debugger. I think this mostly creates a false sense of security and if you plan to grow a business out of this, it would probably only take hours until there would be an open source option available. Don't get me wrong - I like the idea of creating new ways of defending malware, what I don't like is the way you try to "sell" it.

jart
3 replies
7h44m

Are you telling me this thing spawned 50 new processes on your computer? Could you zip up all the executable files and whatever it installed and upload it somewhere so we can analyze the assembly?

mafriese
2 replies
7h25m

This "thing" is always spawning 3 processes at the time. The processes are always the ones from the virustotal link. I can upload the DLL to a file sharing service of your choice if you don't have a VT premium license. I can also provide an any.run link: https://app.any.run/tasks/bc557b04-5025-46a1-a683-aad3b29b9a... (installer) https://app.any.run/tasks/e257e7f2-7837-4ed1-93c8-5d617d75cc... (zip file containing the files). Let me know if you need further info :).

jart
1 replies
6h57m

Is there a way for me to curl their executable into my UNIX terminal so I can read the assembly? Or does Any Run keep the samples to themselves? I know a lot about portable executable but very little about these online services.

kazinator
0 replies
7h58m

They know that if this idea catches on, a dozen completely free imitations will crop up, so ... the time to grab whatever cash can be squeezed out of this is now.

batch12
0 replies
6h9m

To your point, I made this a few years ago using powershell. I just created a stub .exe using csc on install and renamed it to match a similar list of binary names. Maybe I will dig it up...

thrdbndndn
5 replies
8h59m

One of the reference in "How does it work" [1] mentioned that some hackers will not mess with computers with Russian keyboard, so you can add one to reduce your chance of getting hacked.

Hilarious aside, it would only work if you don't actually use multiple keyboard -- otherwise an additional one would make switching between multiple keyboards very annoying [*].

It also mentions some other changes like adding RU keywords to your registry. Again, these measures would have many side effects since lots of software actually use these registry entries for legit reasons. So I don't know if this Cyber Scarecrow product would have this problem, since it does modify registry, too.

1: https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...

*: A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.

kazinator
1 replies
8h37m

MS does not follow "last used" switching order

Furthermore:

1. The Shift+Alt chord is obnoxiously unreliable, sensitive to which key comes down first, or something.

2. Japanese is always comeing up in A mode even though you last had it in あ mode.

3. Bad performance: sllllow language switching at times: you hit some keyboard sequence for changing languages or modes within a language, and nothing happens. This interacts with (2): did we hit an unreliable chord? Or is it just slow to respond?

thrdbndndn
0 replies
5h43m

I have to use a 3rd party Japanese IME precisely because of 2. No idea why they haven't add an option for it to be default to あ mode.

Also, in ANY modern Chinese IME (Microsoft or 3rd party), switching between English/中文 mode is simply pressing shift once. You still have to use alt+` for that in JP IME, which I find unbearable.

Sebb767
1 replies
8h39m

A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.

Actually, I much prefer this order. Depending on what keyboard I currently use, I know exactly how often to switch instead of having to remember what I used previously. In fact, I don't even like this order when Alt+Tab'ing, it makes switching between more than two windows pretty inconsistent (yes, I know Windows+Number works, too).

thrdbndndn
0 replies
5h46m

Yeah, I get your point, it's indeed a trade off.

Having "last used" order makes quickly switch between two windows very easy, which is something I personally use more. It's easier than pressing alt+tab/shift+alt+tab alternately.

To switch to the third window, you can use alt+tab+tab.

poincaredisk
0 replies
6h38m

Small correction: not "some hackers", but some malware families (the difference being that the check is automatic). And honestly, not "some" but "most of them" :).

Though I often see this implemented by calling GetKeyboardLayout, so this will only work if you actually use the Russian (or neighbourly) layout when malware detonation happens.

bendews
5 replies
9h36m

Lol, this website is registered to someone in Iceland, despite the assurance that it is a "security researcher living in the UK". I'm sure the results from this experiment will make a cool blog post about pwning tech savvy folks.

razakel
3 replies
9h17m

That's the WHOIS privacy service enabled by default on .com domains registered through Namecheap.

bendews
2 replies
8h54m

Hmm my Namecheap domains keep the location details even with WHOIS privacy enabled. To be fair they are 7+ years old so maybe something has changed in that time?

popcalc
0 replies
8h27m

You can still apologize by editing your parent comment. Humility is a gift.

hluska
0 replies
4h0m

So you don’t actually know what you’re doing but still feel fit to rip on op for it? “Lol” indeed…

CyberScarecrow
0 replies
9h28m

That could be the hosting, the website is running on PaaS - https://vercel.com

999900000999
5 replies
5h5m

Neat.

But this literally comes off as probably being malware itself.

If your going to ship something like this, it needs to be open source preferably with a GitHub pipeline so I can see the full build process.

You also run into the elephant repellent problem. The best defense to malware will always be regular backups and a willingness to wipe your computer if things go wrong.

bglazer
4 replies
3h18m

elephant repellent problem? What is that?

This is literally the first occurrence of that string on the internet.

jkingsman
2 replies
2h53m

Better known as the Elephant Repellant Fallacy — a claim that a preventative is working when, in fact, the thing it prevents rarely or never happens anyway.

"Hey you better buy my elephant repellant so you don't get attacked!"

'Okay.'

...

"So were you attacked?"

'No, I live in San Francisco and there are no wild elephants."

"Well, I guess the repellant is working!"

burnished
0 replies
15m

I know this as 'Moms cooking drove the vampires away'

wruza
4 replies
8h6m

Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd. A shady concept overall, cause if you occasionally run malware on your pc, it’s already over.

Downloading a random exe from a noname site/author to scare malware sounds like another crazy security recipe from your layman tech friend who installs registry cleaners and toggles random settings for “speed up”.

qwery
0 replies
7h25m

It's not really about "normal" antivirus programs, but tools used by security researchers. It's well-known that more sophisticated malware often try to avoid scrutiny by not running, or masking their intended purpose if the environment looks "suspicious".

A paranoid online game like e.g. Test Drive Unlimited, might not launch because the OS says it's Windows Server 2008 (ask me how I know). A script in a Word document might not deliver its payload if there are no "recently opened documents".

The idea with this thing is to make the environment look suspicious by making it look like an environment where the malware is being deliberately executed in order to study its behaviour.

nic547
0 replies
7h30m

It's not about the usual AV software, but about "fake" system used to try and detect and analyse malware. AV Vendors and malware researcher in general use such honeypots to find malware that hasn't been identified yet.

This software seems to fake some idiciators that are used by malware to detect wheter they're on a "real system" or a honeypot.

joshstrange
0 replies
7h32m

Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd.

Malware authors add in this feature so that it’s harder for researchers to figure out how it works. They want to make reverse engineering their code more difficult.

I agree with everything else you said.

bux93
0 replies
7h36m

Take malware that is part of a botnet. Its initial payload is not necessarily damaging to the host, but is awaiting instructions to e.g. DDOS some future victim.

The authors will want the malware to spread as far and wide as it can on e.g. a corporate network. So they need to make a risk assessment; if the malware stays on the current computer, is the risk of detection (over time, as the AV software gets updates) higher than the opportunity to use this host for nefarious purposes later?

The list[1] of processes simulated by cyber scarecrow are mostly related to being in a virtual machine though. Utilities like procmon/regmon might indicate the system is being used by a techie. I guess the malware author's assumption is that these machines will be better managed and monitored than the desktop/laptop systems used by office workers.

[1] https://pastebin.com/JVZy4U5i

nubinetwork
4 replies
10h7m

If you're going to go through the effort of faking honeypot/analysis tools, why not just run them?

ok_dad
2 replies
10h5m

Costs a lot of cycles to run those for real, and it’s not super common to get infected with anything, so you’re wasting cycles for a small chance at avoiding it. This could be better since, I assume, it doesn’t do a lot of stuff.

exe34
1 replies
9h51m

can you nice them?

JoosToopit
0 replies
9h24m

To make them imitate the real activity? To imitate what scarecrow does?

CyberScarecrow
0 replies
9h17m

Author of scarecrow here. The idea is cyber scarecrow is just super easy and light weight for anyone to use. Honeypot tech tends to need some good tech understanding to use (eg the cli), and can be a bit heavyweight for always running in the background of your computer.

omeid2
3 replies
10h3m

When is Scarecrow Advanced++ with NextGen Anti-Detection and Cloaking will be released?

Jokes aside, this is a temporary fix at best, a waste of resources and impression of safety at worst.

xarope
0 replies
9h49m

Scarecrow Cloud Native AI with Nextgen Quantum Crypto XR ++

(bingo?)

shoo
0 replies
9h16m

ssshhhhh, not so loud, they'll hear you and add scarecrows to the checklist of mandatory runtime security requirements for production services

CyberScarecrow
0 replies
9h19m

Author of scarecrow here. Were working on an LLM and a blockchain first ;-) (joke)

mschuster91
3 replies
9h25m

As much as I'd love to see something like this everywhere, the problem is it's useless for everyone who loves to play online games or watch DRM-encumbered content, so the majority of the population... because DRM, anticheat and malware all fear the same set of tools/indicators.

CyberScarecrow
1 replies
9h18m

Author of scarecrow here. Very good point, i hadnt thought about that.

self_awareness
0 replies
8h57m

Solution: temporary "game mode" that disables most protections that can impact DRM, or a custom rule engine that disables protections if some application is detected to be running (e.g. fortnite.exe or something), but this second method should be done manually by the user.

marcodiego
0 replies
5h46m

everyone who loves to play online games or watch DRM-encumbered content, so the majority of the population...

It is sad to hear that. In my view DRM = malware.

dogben
3 replies
9h26m

A simple magic is to set system language and locale to Russian.

sunaookami
0 replies
8h58m

A simple magic is using an operating system that is not full of security holes by an incompetent vendor.

Etheryte
0 replies
9h15m

Yes, but then your system is in Russian which is pretty much the same as having malware.

Epskampie
0 replies
9h15m

Yes very simple! Not a problem whatsoever with that. я не говорю по-русски

xiaodai
2 replies
9h55m

not surprised if this is the trojan horse

webprofusion
1 replies
9h38m

Next you'll be suggesting that some AV vendors have been known to sponsor development of new viruses and malware.

ttyyzz
0 replies
8h44m

I also wouldn't download this in 1000 years with no additional information and sourcecode / github etc...

puppycodes
2 replies
9h29m

i'm confused about the tradeoff of not running the software that your pretending to be running? Most AV definitly feels like malware itself so maybe thats your point? But it would probably be better to run good software than fake bad software?

ale42
0 replies
8h14m

Like keeping Process Monitor open all the time? Not very convenient, especially for the average user.

JoosToopit
0 replies
9h21m

But there is no good software for defense. They either introduce obstacles while being barely useful or are useful, introduce obstacles for you and are proprietary and thus are malicious by design.

pogue
2 replies
9h43m

Sounds like a very interesting concept. I'd like to see someone actually test this though.

Try running this on a Windows PC with Windows Defender off & just Scarecrow running. You could use the MaleX test kit [1] or a set of malware such as the Zoo collection [2] or something more current. I'd be very interested to see how many malware executables stop half way through their installation after seeing a few bogus registry entries/background programs running. I'm not trying to imply it's worthless, but it needs some actual "real world" test results.

[1] https://github.com/Mayachitra-Inc/MaleX [2] https://github.com/ytisf/theZoo

CyberScarecrow
1 replies
9h26m

Author of scarecrow here. Sweet idea, thankyou for sharing. What i would really like to do, is have some sort of stats in the app, that shows if it has 'scared' away any malware. But im not sure how to do that, and work out what other processes on the machine have exited because it saw some cyber scarecrow indicators in the systems process listing.

pogue
0 replies
8h52m

I would assume with a minimalist program like yours, it wouldn't have the capability to detect whether anything malicious was running on the system. That kind of thing would require some more advanced trip wires that would notice when certain things were triggered when they shouldn't have been or a full blown AV detection engine.

I suppose it could work like Sysinternals Process Explorer/Autoruns/etc & submit running hashes to Virustotal.com or other databases, but there's always the likelihood of false positives with that.

If you search Github for "malware samples" There are loads of them. Vx Underground also has a large collection [1]. So, I would go through there & look for commonalities to try and find what malware often tries to trigger on startup.

I'll just end with this example of an interesting form of a trip wire I've seen in use on Windows PCs: ZoneAlarm makes an anti-ransomwear tool I can't think of the name of. It placed hidden files & folders in every directory on the hard drive. It would then monitor if anything tried to access it - as ransomwear would attempt to encrypt it - and force kill all running programs in an attempt to shut down the malware before it could encrypt the entire HDD.

[1] https://vx-underground.org/Archive/Collections

marcodiego
2 replies
6h51m

I call BS. How it works says: "When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run."; Download asks e-mail and name; Does not seems multiplatform and would never install anything like that on my computer in a dream unless it were open source.

poincaredisk
0 replies
6h44m

I'm a malware researcher and reverse engineer for a living. This is absolutely true, but oversimplified. Focus on

They don't want to get caught and avoid computers that have security analysis or anti-malware tools on them.

Malware doesn't want to run in a sandbox environment (or in general when observed), because doing malicious things in the AV sandbox is a straight way to get blocked, and leaks C2 servers and other IoCs immediately. That's why most malware families[1] at least try to check if the machine they're running on is a sandbox/researcher pc/virtual machine.

I assume this is what this tool does. We joke at work that the easiest thing to do to make your windows immune to malware is to create a fake service and call it VBoxSVC.

[1] except, usually, ransomware, because ransomware is very straightforward and doesn't care about stealth anyway.

davikr
0 replies
6h50m

It's very platform-dependent, because for each one there are different ways in which a virus checks for markers that it's being analysed - for instance, if it's being ran in a VM, it might check registry entries, check for Guest-Host drivers or whatever, on Windows. Still, I wouldn't trust something like this if it asks for PII, isn't open-source and leaves traces around on the disk.

forty
2 replies
7h10m

I guess the indicators used largely overlap with the ones used by anti-cheat software, so you probably want to think twice before using that on your gaming pc :)

account42
1 replies
5h58m

Or you could just choose to not play games that require you to install malware.

rvnx
0 replies
2h49m

Once you are banned by the anti-cheat because of false positive, this is going to be an easy decision to make

efilife
2 replies
8h53m

Ok, but why isn't this open source? If it only creates some processes that don't do anything, there's nothing to hide, really

tr33house
1 replies
6h35m

this +100 I can't just let some random exe run on my machine with nothing but claims from the author.

In my head, I'm also wondering why a botnet wouldn't just want to take over such a machine because they know for sure that it's a scarecrow. But security by obscurity is no way to instill trust here

rantee
0 replies
4h50m

Claims by an unidentified author(s) replying to comments with a 4-hour old HN account.. How did this make it to the front page other than the catchy name?

tgv
1 replies
10h4m

Isn't the risk then that they'll first start scanning for "Scarecrow", or is that hidden somehow?

Also somewhat surprised the source isn't available. That makes trusting it harder, especially to the people it's aimed at.

jstanley
0 replies
10h1m

Well then you just need to put scarecrow on your honeypot boxes.

sneak
1 replies
7h47m

Scarecrow creates registry entries to make it look like security tools are installed on your computer.

Best simple anti-malware technique: don’t run Windows.

forty
0 replies
7h8m

Arguably it's the second best, after: don't use computers

no-dr-onboard
1 replies
2h23m

Fun concept, but this is security by obscurity. Other heuristics:

- providing fake manifests to hardware drivers commonly associated with virtual machines - active process inspector handles - presence of any software signed by hexrays (the ini file is usually enough)

bhelkey
0 replies
1h5m

Fun concept, but this is security by obscurity.

Malware uses signals to determine if they are running in a VM. If we can degrade those signals, they will have to play a cat and mouse game trying to avoid VMs.

The less clear it is if a process is running in a VM, the easier time security researchers will have testing exploits found in the wild.

mrjin
1 replies
9h19m

I'm wondering since when software can be scared?

Wowfunhappy
0 replies
6h57m

Software authors can be scared and their timidity can be reflected in the behavior of their software.

mdip
1 replies
4h36m

Setting aside the concerns with this specific implementation and thinking more of "the idea" I think the biggest concern is this sort of application causing legitimate software to fail to run[0] and how one would "white-list" an application from seeing these "fake artifacts designed to trick malware."

The problem is "the fake components" would have to be prevented from being detected by legitimate software and the only way I can think to do that would be to execute everything in a sandbox that is capable of: (a) hiding some contained running processes (the fake ones) from the rest of the OS while (b) while allowing the process that "sees the fake stuff" to be seen by everything else "like any old process."

Applying ACLs (and restricting white-listed processes) might work in some cases; might equally just be seen as a permissions problem and result in a nonsensical error (because the developers never imagined someone would change the permissions on an obvious key), or it might be that the "trick" employed is "Adding a Russian Keyboard" which can be very disruptive to the user "if they use more than one input language" or "is one of those places where a program may read from there never expecting to encounter an error."

A lot of this seems like it would require use of containerization -- docker/docker-like -- for Windows apps. I'm familiar with a few offerings here and there, but I've worked with none of them and I run Linux more than Windows these days. So my questions really boil down to:

Where's Windows containerization at? Would it be possible to run an application in a docker or docker-like container with a Windows kernel which can have its environment controlled in a manner that is more transparent to the application running within the container? Is there any other approach which would allow for "non-white-listed applications" to run containerized and "see the Scarecrow artifacts", while allowing the white-listed applications[1] to run outside of the container in a manner that hides some of the processes within the container. Can it do all of that in a manner that would work if the same "check" were repeated immediately after confirming an Elevation dialog[2]? from the white-listed application in a manner that couldn't be defeated by repeating the same "check" after presenting an elevation dialog?

Again, that's assuming "this is a brilliant idea" -- and there's some evidence that as a concept, at least, it would help (ignoring this particular implementation of the idea), but it still suffers from its success, so the extent that it helps/is adopted equates to how long any of these techniques aren't defeated. And just from the sense I get of the complexities required to "implement this in a manner that legitimate won't fail, too", I suspect it will be easier to defeat a tool like this than it will be to protect against its defeat. In other words, the attacker is a healthy young cat chasing a tired old mouse.

[0] Anti-cheat being the most obvious, but those are often indistinguishable from malware. I'd encountered plenty of games/apps in the 90s that refused to run when I ran software to trace aspects of their memory interaction. I had some weird accounting app that somehow figured out when my own code (well, code I mostly borrowed from other implementations) was used for the same purpose.

[1] The assumption being that "a legitimate application which does these kinds of checks" is also likely to refuse to run within a container unless it's impossible to detect the container as reliably as everything else (and vendors are completely tolerant of false positives if the affected customers don't represent enough in terms of profit, or the solution is "don't run that unusual security software when you run ours").

[2] I've seen it enough with Easy Anti-cheat that I just click "Yes" like a drone. There was at least one occasion when it popped up after I had installed some developer tooling but not had a game update come down between launches. Because it was a huge install, it may just have been that the game detectedI have no idea why this happens -- on a few occasions, I had no update applied between loads but had installed other software so it could have been "to fix something that software broke" but it could also have been "to re-evaluate the environment as an administrator because something changed enough on the system to warrant a re-check that it is still compliant with the rules"

wizzwizz4
0 replies
3h12m

Where's Windows containerization at?

Doesn't exist. Not even UAC is a reliable security boundary. Likely, it will never exist.

Is there any other approach which would allow for "non-white-listed applications" to run containerized and "see the Scarecrow artifacts",

Sounds a bit like WoW64. It should be easy enough to replicate this behaviour with a rootkit. However, the software would always be able to peek behind the curtain.

In other words, the attacker is a healthy young cat chasing a tired old mouse.

I always thought of the attackers as the mice, and anti-malware folk as the cats.

etrvic
1 replies
5h45m

I decided to use Bitdefender a few months ago becouse i suspected my Mac had malware. I was right, there was a adware in the firefox files so it did it’s job.

But, my experience with the antivirus was horrible. When i first opened the app there were popus everywhere advertising for their other products, and the overall ui didn’t look trustworthy.

I am no security expert, so I’m asking: is this the best way to deal with malware?

andrei-akopian
0 replies
5h26m

Not get it in the first place.

Not an expert myself, but I think cleaning up and reinstalling your whole OS once in a while probably deals with malware.

dncornholio
1 replies
6h1m

This software pings home. Also uses .NET which is complete overkill for such a simple app.

Would not recommend installing. It's someone's hobby project that runs as administrator.

neonsunset
0 replies
4h16m

What would you use instead?

SXX
0 replies
6h0m

Except now its bad idea. Like some malwzre from either country can decide to format your drives just for fun.

webprofusion
0 replies
9h40m

Source code or it didn't happen.

usrbinbash
0 replies
1h55m

Many of the most dangerous threat actors simply don't care about getting caught. They are operated, financed and protected by nation states, and/or operate from geopolitical locations where law enforcement is lacking.

tazjin
0 replies
9h29m

Cat, meet mouse.

swarnie
0 replies
9h8m

I wonder if you can make malware think your language and keyboard layout is Russian without having to endure the setup, that's been known to deter some nasty stuff.

stefanve
0 replies
8h40m

I get the idea but the "science" is based on reports it doesn't look like this has been tested with actual malware. Would be interesting to know how well it works

Also make it OSS and ask for donations. Not sure what your feature earning model is but is seems easy to replicate and as point out several times right now it asked to blindly thrust you

sim7c00
0 replies
5h46m

"Fake Processes. Scarecrow will create a number of background processes that don't do anything, but look like security research tools. Fake registry entries. Scarecrow creates registry entries to make it look like security tools are installed on your computer."

I'd be interested to see this tested, there's tons of good malware repos out there like vx-underground's collections that can be used to test it.

If you dont wanna share the source, somewhat logical. Perhaps run a test versus gigabytes of malware samples and let us know which ones actually query these process names / values you create and disable themselves as a result??

salzig
0 replies
8h33m

Next Iteration: malware checks for scarecrow and starts anyways ^^

s1mplicissimus
0 replies
2h38m

Hahaha it's such a lovely idea! Turning the opponents detection against them, I very much dig it!

Here's a caveat though: Attackers will at some point notice scarecrows and simply work around them. Now suuure, if you have a better lock than your neighbours, that decreases your chances of getting broken into, but in the end this is a classic "security by obscurity" measure. So if your time and computer/data is valuable, I would rather invest in other security measures (firewall, awareness training, backups etc.)

russdill
0 replies
1h51m

Wow, never ever install this if you plan to play games with cheat detection

richwater
0 replies
4h29m

Anyone who downloads this is a moron.

poopcat
0 replies
5h42m

That is a very fun logo.

otikik
0 replies
1h35m

Heh.

The arms race continues.

oleg_antonyan
0 replies
9h52m

To check if your credit card is in scammers' database, please enter card number and cvv

mrweasel
0 replies
9h0m

Get a PTR record for your IP, let it resolve to honeypot087.win.internal.security.example.com, that will make your IP less interesting... To some people

moi2388
0 replies
3h20m

“It’s a trust thing”

Yeah. That won’t work for anything security related, I’m afraid.

mistercheph
0 replies
3h0m

More likely than not this is malware

mistercheph
0 replies
44m

How I pwned hacker news (2024)

mdip
0 replies
6h2m

Outside of the authorship/open-source fears[0], this is one of the more interesting ideas to surface in anti-virus.

Facing reality: anti-malware tooling is inadequate -- so inadequate, I haven't found a reason to purchase it for the one Windows machine I still have. People say "Defender works well enough, now!" and I think that's a pretty adequate way of describing it in that anti-malware has an impossible job and that is evident by every vendor's failure to succeed at it. So why pay for it?

It's always a cat-and-mouse game. This is an interesting approach, though, because it could shift the balance a little bit. Anti-malware's biggest problem is successfully identifying a threat while minimally interfering with the performance of an application. A mess of techniques are used to optimize this but when a file has to be scanned, it's expensive. It'd be interesting to see if it'd be possible to eliminate some variants of malware from on-demand scanning "if this tool defeats the malware as effectively", pushing scanning for those variants to an asynchronous process that allows the executable to run while it is being scanned.

I can see a lot of the problems with this kind of optimization[1]: it turns a "layer in the onion" into a replacement for an existing function which has more unknowns as far as attacks are concerned. Creating the environmental components required to "trick the malware" may be more expensive than just scanning. White-list scenarios may not be possible: I suspect anti-cheat services and potentially legitimate commercial software might be affected, as well[2] ... getting them to white-list a tool like this won't be easy unless the installed base is substantial. I suspect that "hiding the artifacts this tool creates to trick malware" from a white-listed processes might be impossible.

For at least a brief moment, this might be a useful tool in preventing infections from unknown threats. Brief, because -- by the author's own admissions (FAQ) -- it will devolve into a cat-and-mouse game if the tool is popular enough. There's another cat-and-mouse game, though. If this technique isn't resource intensive while offering protection somewhere in line with what it would take to implement, all of the anti-virus vendors will implement it -- including Microsoft. And they will be seen by customers as far better equipped to play "cat" or at least "the choice you won't get fired over."

And that's where it makes a whole lot of sense to open-source the product. It's a clever idea with a lot of unknowns and a very low likelihood of being a business. Unless it's being integrated into a larger security suite (same business challenges, but you have something of "a full product" as far as your customers are concerned), it's only value (outside of purely altruistic ones) would be either "popping the tool on the author's related business's website" to bring people to a related business/service or as a way to promote the author's skill set (for consulting/resume reasons). I'm not arrogant enough to say there's no way to make money from it, I just can't see it -- at least, not one that would make enough money to offset the cost of the "cat and mouse" game.

[0] Which, yeah, "I wouldn't run it on my computer" but I give the authors enough of the benefit of the doubt that "it's new"

[1] Not the least of which being that I do not author AV software so I have nothing to tell me that any of my assumptions about on-demand scanning are correct.

[2] It used to be a common practice to make reverse engineering more difficult.

makach
0 replies
7h57m

legit, or best malware install attempt ever? assume all is good if you detect the cyberscarecrow process? how can this have a long-term effect?

if you have malware probing your processes to decide if it can run or not you have a very serious problem regardless of whether it decides to run or not, there is an entrance to your systems you don't know about.

m3kw9
0 replies
3h54m

Does it really work? Let’s see some stats

khaki54
0 replies
8h10m

Kind of like instead of buying $10k ADT home security system, just buy the sign for $20 and put it in the front yard.

jowea
0 replies
9h57m

Should make it look like you're Russian too.

eigenvalue
0 replies
5m

I really don't get why this would be a 71mb installer that takes up 113mb when installed. If they are literally just fake processes running that have the right names, why couldn't this be a 100kb installer?

efilife
0 replies
8h56m

Genius! Weird nobody invented this before

dns_snek
0 replies
6h40m

While this is a really interesting idea, and assuming that it's actually completely safe, the irony is that it looks exactly what I would expect a trojan to look like - somewhat vague promises of security that could be interpreted as snake oil, conveniently packaged as an EXE with scant information about who's behind it, what it does, and no way to verify any of it. No offense to the authors :)

checjsout
0 replies
2h28m

I wonder if it would trick the compliance department into thinking my computer is safe and leave it alone.

annoyingnoob
0 replies
1h52m

Anyone run this through VirusTotal?

Retr0id
0 replies
9h7m

When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run. They don't want to get caught and avoid computers that have security analysis [...] tools on them.

Game anti-cheat code makes similar checks (arguably it is malware, but that's besides the point). So, running this might put you at risk of getting banned from your favourite game.

MrVandemar
0 replies
4h34m

No Linux version?

:-)

Dwedit
0 replies
9h57m

Will this cause actual code signature checks to tell if the EXE running is fake or not?

Copenjin
0 replies
9h57m

Very nice and well executed idea, but I think that in many cases this could be overestimating the competence of the attacker.