Fun concept.<p>If the creators read this, I suggest some ways of building trust. There’s no “about us”, no GitHub link, etc. It’s a random webpage that wants my personal details, and sends me a “exe”. The overlap of people who understand what this tool does, and people who would run that “exe” is pretty small.
I don't understand why the software is built how it's built. Why would you want to implement licensing in the future for a software product that only creates fake processes and registry keys from a list: <a href="https://pastebin.com/JVZy4U5i" rel="nofollow">https://pastebin.com/JVZy4U5i</a> .
The limitation to 3 processes and license dialog make me feel uncomfortable using the software. All the processes are 14.1MB in size (and basically the scarecrow_process.dll - <a href="https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c63df12398e6db1322219c53ac4447c637c940dae/details" rel="nofollow">https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...</a>). I just don't understand why you create such a complex piece of software if you can just use a Powershell script that does exactly the same using less resources. The science behind it only kinda makes sense. There is some malware that is using techniques to check if there are those processes are running but by no means is this a good way to keep you protected. Most common malware like credential stealers (redline, vidar, blahblah) don't care about that and they are by far the most common type of malware deployed. Even ransomware like Lockbit doesn't care, even if it's attached to a debugger. I think this mostly creates a false sense of security and if you plan to grow a business out of this, it would probably only take hours until there would be an open source option available. Don't get me wrong - I like the idea of creating new ways of defending malware, what I don't like is the way you try to "sell" it.
Neat.<p>But this literally comes off as probably being malware itself.<p>If your going to ship something like this, it needs to be open source preferably with a GitHub pipeline so I can see the full build process.<p>You also run into the elephant repellent problem. The best defense to malware will always be regular backups and a willingness to wipe your computer if things go wrong.
I would assume there would be a small intersection of people that would download and install a windows program from an unknown web page and those that are worried about malware.<p>But perhaps I'm wrong
Lol, this website is registered to someone in Iceland, despite the assurance that it is a "security researcher living in the UK". I'm sure the results from this experiment will make a cool blog post about pwning tech savvy folks.
Narrator: and so the arms race continues.<p>I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.<p>But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.
Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd. A shady concept overall, cause if you occasionally run malware on your pc, it’s already over.<p>Downloading a random exe from a noname site/author to scare malware sounds like another crazy security recipe from your layman tech friend who installs registry cleaners and toggles random settings for “speed up”.
I heard you could do something very similar but with installing the Russian Keyboard layout and having it available as an option. A lot of malware from Russia won't run on computers with a Russian keyboard layout, because they only get in trouble with the law if the malware impacts Russian users.
Isn't the risk then that they'll first start scanning for "Scarecrow", or is that hidden somehow?<p>Also somewhat surprised the source isn't available. That makes trusting it harder, especially to the people it's aimed at.
One of the reference in "How does it work" [1] mentioned that some hackers will not mess with computers with Russian keyboard, so you can add one to reduce your chance of getting hacked.<p>Hilarious aside, it would only work if you don't actually use multiple keyboard -- otherwise an additional one would make switching between multiple keyboards very annoying [*].<p>It also mentions some other changes like adding RU keywords to your registry. Again, these measures would have many side effects since lots of software actually use these registry entries for legit reasons. So I don't know if this Cyber Scarecrow product would have this problem, since it does modify registry, too.<p>1: <a href="https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/" rel="nofollow">https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...</a><p>*: A little rant: as someone who use three virtual keyboards (English, Chinese, Japanese), it is already a pain in ass to switch them since MS does not follow "last used" switching order (like alt+tab). Instead, it just switches in one direction.
> When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run. They don't want to get caught and avoid computers that have security analysis [...] tools on them.<p>Game anti-cheat code makes similar checks (arguably it <i>is</i> malware, but that's besides the point). So, running this <i>might</i> put you at risk of getting banned from your favourite game.
When is Scarecrow Advanced++ with NextGen Anti-Detection and Cloaking will be released?<p>Jokes aside, this is a temporary fix at best, a waste of resources and impression of safety at worst.
Fun concept, but this is security by obscurity. Other heuristics:<p>- providing fake manifests to hardware drivers commonly associated with virtual machines
- active process inspector handles
- presence of any software signed by hexrays (the ini file is usually enough)
I really don't get why this would be a 71mb installer that takes up 113mb when installed. If they are literally just fake processes running that have the right names, why couldn't this be a 100kb installer?
Hahaha it's such a lovely idea! Turning the opponents detection against them, I very much dig it!<p>Here's a caveat though: Attackers will at some point notice scarecrows and simply work around them. Now suuure, if you have a better lock than your neighbours, that decreases your chances of getting broken into, but in the end this is a classic "security by obscurity" measure. So if your time and computer/data is valuable, I would rather invest in other security measures (firewall, awareness training, backups etc.)
I guess the indicators used largely overlap with the ones used by anti-cheat software, so you probably want to think twice before using that on your gaming pc :)
Krebs said that some malware checks for a cyrillic keyboard to try and geo target outside of the country of operation. This seems to be the same type of thing.<p><a href="https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/" rel="nofollow">https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...</a>
I get the idea but the "science" is based on reports it doesn't look like this has been tested with actual malware. Would be interesting to know how well it works<p>Also make it OSS and ask for donations. Not sure what your feature earning model is but is seems easy to replicate and as point out several times right now it asked to blindly thrust you
Another simple trick is to add the Russian or Ukraine virtual keyboard to your OS. I’m curious if this tool does this as well.<p><a href="https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/" rel="nofollow">https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...</a>
As much as I'd love to see something like this everywhere, the problem is it's useless for everyone who loves to play online games or watch DRM-encumbered content, so the majority of the population... because DRM, anticheat and malware all fear the same set of tools/indicators.
"Fake Processes. Scarecrow will create a number of background processes that don't do anything, but look like security research tools.
Fake registry entries. Scarecrow creates registry entries to make it look like security tools are installed on your computer."<p>I'd be interested to see this tested, there's tons of good malware repos out there like vx-underground's collections that can be used to test it.<p>If you dont wanna share the source, somewhat logical. Perhaps run a test versus gigabytes of malware samples and let us know which ones actually query these process names / values you create and disable themselves as a result??
This is a really cool concept! Even if it's difficult to trust it as-is (for reasons stated ad nauseam in other comments), this might put gas on the fire of a so-far small area of malware research, which will be good for the community at large.<p>It's obviously an arms race when it comes to malware, but this could be a significant step forward on the defensive side, forcing malware developers to evolve their TTPs.
I decided to use Bitdefender a few months ago becouse i suspected my Mac had malware. I was right, there was a adware in the firefox files so it did it’s job.<p>But, my experience with the antivirus was horrible. When i first opened the app there were popus everywhere advertising for their other products, and the overall ui didn’t look trustworthy.<p>I am no security expert, so I’m asking: is this the best way to deal with malware?
I've heard one thing that motivates malware to ignore your computer is having a Russian keyboard installed. <a href="https://krebsonsecurity.com/2021/05/try-this-one-weird-trick-russian-hackers-hate/" rel="nofollow">https://krebsonsecurity.com/2021/05/try-this-one-weird-trick...</a>
It asks for our names and emails, provides an opaque exe and no source code, asks to be run as admin, pings home, doesn’t say who you are or how many of you there are, and justifies it all with “trust me bro”.<p>People, this is malware. Please don’t fall for it.<p>I don’t think it’s wise to leave this on the front page. I hope dang agrees and takes it down.
Many of the most dangerous threat actors simply don't care about getting caught. They are operated, financed and protected by nation states, and/or operate from geopolitical locations where law enforcement is lacking.
Sounds like a very interesting concept. I'd like to see someone actually test this though.<p>Try running this on a Windows PC with Windows Defender off & just Scarecrow running. You could use the MaleX test kit [1] or a set of malware such as the Zoo collection [2] or something more current. I'd be very interested to see how many malware executables stop half way through their installation after seeing a few bogus registry entries/background programs running. I'm not trying to imply it's worthless, but it needs some actual "real world" test results.<p>[1] <a href="https://github.com/Mayachitra-Inc/MaleX">https://github.com/Mayachitra-Inc/MaleX</a>
[2] <a href="https://github.com/ytisf/theZoo">https://github.com/ytisf/theZoo</a>
While this is a really interesting idea, and assuming that it's actually completely safe, the irony is that it looks <i>exactly</i> what I would expect a trojan to look like - somewhat vague promises of security that could be interpreted as snake oil, conveniently packaged as an EXE with scant information about who's behind it, what it does, and no way to verify any of it. No offense to the authors :)
This software pings home. Also uses .NET which is complete overkill for such a simple app.<p>Would not recommend installing. It's someone's hobby project that runs as administrator.
I wonder if you can make malware think your language and keyboard layout is Russian without having to endure the setup, that's been known to deter some nasty stuff.
So immediately I am wondering what is the list of processes names are?<p>Lots of people on HN could easily spin up their own fake processes if they knew the names?
Get a PTR record for your IP, let it resolve to honeypot087.win.internal.security.example.com, that will make your IP less interesting... To some people
legit, or best malware install attempt ever? assume all is good if you detect the cyberscarecrow process? how can this have a long-term effect?<p>if you have malware probing your processes to decide if it can run or not you have a very serious problem regardless of whether it decides to run or not, there is an entrance to your systems you don't know about.
I call BS. How it works says: "When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run."; Download asks e-mail and name; Does not seems multiplatform and would never install anything like that on my computer in a dream unless it were open source.
Setting aside the concerns with this specific implementation and thinking more of "the idea" I think the biggest concern is this sort of application causing legitimate software to fail to run[0] and how one would "white-list" an application from seeing these "fake artifacts designed to trick malware."<p>The problem is "the fake components" would have to be prevented from being detected by legitimate software and the only way I can think to do that would be to execute everything in a sandbox that is capable of: (a) hiding some contained running processes (the fake ones) from the rest of the OS while (b) while allowing the process that "sees the fake stuff" to be seen by everything else "like any old process."<p>Applying ACLs (and restricting white-listed processes) might work in some cases; might equally just be seen as a permissions problem and result in a nonsensical error (because the developers never imagined someone would change the permissions on an obvious key), or it might be that the "trick" employed is "Adding a Russian Keyboard" which <i>can</i> be very disruptive to the user "if they use more than one input language" or "is one of those places where a program may read from there never expecting to encounter an error."<p>A lot of this seems like it would require use of containerization -- docker/docker-like -- for Windows apps. I'm familiar with a few offerings here and there, but I've worked with none of them and I run Linux more than Windows these days. So my questions really boil down to:<p>Where's Windows containerization at? Would it be possible to run an application in a docker or docker-like container with a Windows kernel which can have its environment controlled in a manner that is more transparent to the application running within the container? Is there any other approach which would allow for "non-white-listed applications" to run containerized and "see the Scarecrow artifacts", while allowing the white-listed applications[1] to run outside of the container in a manner that hides <i>some</i> of the processes within the container. Can it do all of that in a manner that would work if the same "check" were repeated immediately after confirming an Elevation dialog[2]? from the white-listed application in a manner that couldn't be defeated by repeating the same "check" after presenting an elevation dialog?<p>Again, that's assuming "this is a brilliant idea" -- and there's some evidence that as a concept, at least, it would help (ignoring this particular implementation of the idea), but it still suffers from its success, so the extent that it helps/is adopted equates to how long any of these techniques aren't defeated. And just from the sense I get of the complexities required to "implement this in a manner that legitimate won't fail, too", I suspect it will be easier to defeat a tool like this than it will be to protect against its defeat. In other words, the attacker is a healthy young cat chasing a tired old mouse.<p>[0] Anti-cheat being the most obvious, but those are often indistinguishable from malware. I'd encountered plenty of games/apps in the 90s that refused to run when I ran software to trace aspects of their memory interaction. I had some weird accounting app that somehow figured out when <i>my own code</i> (well, code I mostly borrowed from other implementations) was used for the same purpose.<p>[1] The assumption being that "a legitimate application which does these kinds of checks" is also likely to refuse to run within a container unless it's <i>impossible</i> to detect the container as reliably as everything else (and vendors are completely tolerant of false positives if the affected customers don't represent enough in terms of profit, or the solution is "don't run that unusual security software when you run ours").<p>[2] I've seen it enough with Easy Anti-cheat that I just click "Yes" like a drone. There was at least one occasion when it popped up after I had installed some developer tooling but <i>not</i> had a game update come down between launches. Because it was a huge install, it may just have been that the game detectedI have no idea <i>why</i> this happens -- on a few occasions, I had no update applied between loads but had installed other software so it could have been "to fix something that software broke" but it could also have been "to re-evaluate the environment as an administrator because something changed enough on the system to warrant a re-check that it is still compliant with the rules"
i'm confused about the tradeoff of not running the software that your pretending to be running? Most AV definitly feels like malware itself so maybe thats your point? But it would probably be better to run good software than fake bad software?
Outside of the authorship/open-source fears[0], this is one of the more interesting ideas to surface in anti-virus.<p>Facing reality: anti-malware tooling is inadequate -- so inadequate, I haven't found a reason to purchase it for the one Windows machine I still have. People say "Defender works well enough, now!" and I think that's a pretty adequate way of describing it in that anti-malware has an impossible job and that is evident by every vendor's failure to succeed at it. So why pay for it?<p>It's <i>always</i> a cat-and-mouse game. This is an interesting approach, though, because it could shift the balance a little bit. Anti-malware's biggest problem is successfully identifying a threat while minimally interfering with the performance of an application. A mess of techniques are used to optimize this but when a file has to be scanned, it's expensive. It'd be interesting to see if it'd be possible to eliminate some variants of malware from on-demand scanning "if this tool defeats the malware as effectively", pushing scanning for those variants to an asynchronous process that allows the executable to run while it is being scanned.<p>I can see a lot of the problems with this kind of optimization[1]: it turns a "layer in the onion" into a replacement for an existing function which has more unknowns as far as attacks are concerned. Creating the environmental components required to "trick the malware" may be more expensive than just scanning. White-list scenarios may not be possible: I suspect anti-cheat services and potentially legitimate commercial software might be affected, as well[2] ... getting them to white-list a tool like this won't be easy unless the installed base is substantial. I suspect that "hiding the artifacts this tool creates to trick malware" from a white-listed processes might be impossible.<p>For at least a brief moment, this might be a useful tool in preventing infections from unknown threats. Brief, because -- by the author's own admissions (FAQ) -- it will devolve into a cat-and-mouse game if the tool is popular enough. There's another cat-and-mouse game, though. If this technique isn't resource intensive while offering protection somewhere in line with what it would take to implement, all of the anti-virus vendors will implement it -- including Microsoft. And they will be seen by customers as far better equipped to play "cat" or at least "the choice you won't get fired over."<p>And that's where it makes a <i>whole lot of sense</i> to open-source the product. It's a clever idea with a lot of unknowns and a very low likelihood of being a business. Unless it's being integrated into a larger security suite (same business challenges, but you have something of "a full product" as far as your customers are concerned), it's only value (outside of purely altruistic ones) would be either "popping the tool on the author's related business's website" to bring people to a related business/service or as a way to promote the author's skill set (for consulting/resume reasons). I'm not arrogant enough to say there's <i>no way</i> to make money from it, I just can't see it -- at least, not one that would make enough money to offset the cost of the "cat and mouse" game.<p>[0] Which, yeah, "I wouldn't run it on my computer" but I give the authors enough of the benefit of the doubt that "it's new"<p>[1] Not the least of which being that I do not author AV software so I have nothing to tell me that any of my assumptions about on-demand scanning are correct.<p>[2] It used to be a common practice to make reverse engineering more difficult.
> <i>Scarecrow creates registry entries to make it look like security tools are installed on your computer.</i><p>Best simple anti-malware technique: don’t run Windows.