Pretending to be a VM to STOP Malware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello buddy my name is Eric today we're going to be looking at Cyber scarecrow now if you've ever watched uh my how to make a stealthy VM video you may have the idea well if all of these checks are meant to stop security researchers from reverse engineering malware well what if we reverse this on its head and simply try to defeat malware by pretending to be an analysis system so that's exactly what these people have it does a couple of other things that malware doesn't like such as okay I I I don't like this there there's a few issues I have with this before we try it out it's not open source which is like fine you know I mean especially if you want to make money I get it but I don't like the idea of installing something this deep that isn't open source but we're going to just do what they say because my information is public anyway so I don't care we're going to we're going to get scarecrow installed we're currently in Alpha okay but why why would you want to collect my email address okay options okay well I don't care about where it's installed cyber scarecrow installer version now we can see what it's actually done uh we can reboot the system of course and then we can find out how exactly this works now it would be as simple although of course it would give uh researchers an edge to simp check if cyber scarecrow is installed and then disable all of the uh checks I hope malware authors do that that would make everyone's life that's kind of the thing I like about this is ultimately it probably won't do that much to stop malware but it will probably do quite a bit to help malare analysts if it becomes popular if it doesn't become popular it may end up being very useful so here we go and now we've got the desktop shortcut scarecrow tray uh and there's a million security warnings cuz this is an unknown publisher there's settings okay scary processes okay so um we've got fake virtual boox service fake VD service we've added uh registry keys from virtual box and Oracle so VM detection is not going to be thrilled okay so maybe they intend on selling it and that's why they want to they want to have it proprietary now the obvious problem with this is there was a lot of software which is not not considered malicious that doesn't like running in an analysis environment the problem here is like for example I can pretty much guarantee I obviously can't run valerant on this VM to begin with that you wouldn't be able to play valerant or really any game that doesn't allow virtualized environments which is not great but may maybe maybe that's okay maybe it isn't uh so just something I'm warning about it and now there's one thing I was sent that's open source called exam browser uh that I can simply test someone asked me to test this on a stealthy VM I don't recommend ever trying to run something like this in a virtualized environment because a false academic cheating allegation is something that could get you into a lot of serious trouble and negatively affect the course of your life and whatever reason you have for it is probably not worth it but you can do what you want okay so we've got safe exam browser installing and we can see if this will run now of course it could just be blocked anyways but someone did tell me that it does run with VMR H loader so if it fails because the check on it is quite simple I'm I'm expecting it will fail because it's using the same string Tri now what I'm also going to do is borrow pylon protection check which is about the same as every other one I have seen that blocks this list of tools uh which would include v-box service so it's probably going to work that that' be my guess okay so now let's see does safe verifying Integrity nope so you cannot use safe exam browser probably canot that means if you use any proctoring software this is going to trigger it and there's no there's no way around that uh so now let's try let's try this piece of uh code can also run paranoid fish again to see if it's Chang changed my paranoid fish score back okay protection check so here's the pylon check it is hitting and we can actually make this a bit more of verose uh by simply making it actually print what failed and the process that ultimately was caught and this also allows us to prove that it's not just because it's VMware that it's catching this no it's a vbox service despite the fact this is not a virtual box VM now one way you could identify this is because it's going to pretend to be multiple different things uh if they were to for example have a fake VMware tools and a fake virtual box tools uh it is impossible to have both of those going at the same time so that would be one way of catching it so now the next thing to do is to go to Il spy which is a decompiler for net so that we can verify whether there's anything spooky uh that isn't just spooky to mware seems like most of the code lives in this dll so we're just going to unpack this okay scarecrow core license okay there's a license manager actually I'm I I'm not going to show that because whatever's in the license manager is not uh you know I I don't want to be don't want to be cracking this Auto St registry off okay what task schedule these are all normal so process manager okay these are all exactly 14.1 megabytes uh so might be worth just checking out what these processes actually do just to make sure that they're not hiding anything so the fake v-box service okay scarecrow process okay so it does nothing essentially which is what I would expect it to do so there's nothing nothing that looks spooky in here okay and these are just now given everyone is getting the pro version at this point that's fine bull is running of course in order to make sure that there's no hidden spookiness in here it never hurts to run network analysis just in case something may be hiding that we don't want so I'm just going to set that up and then we're going to reboot now cyber scar.com is running on verel so if we see any requests to either that IP range uh we we know that cyber scarecrow is uh phoning home so far so good now let's just check about this license uh okay just purely because this looks like a JavaScript web token and I am guessing that would have come from when we get gave them our email so to me that seems pretty clear uh some of the characters were o wrong but it's pretty clear that there's no personal information in here so that's good so it seems to be legit so the only way to test this out uh is to go and find a fortnite sin skin swapper and see uh if it works or not here we go we've got a fake Galaxy swapper I had to go to a different download because the first one wasn't cooperating and uh let's see what uh I think this is the mighta pack some of them all I don't know about this one see what that has to say only about half okay uh we're going to allow it because I'm not sure if Defender just killed it before its own VM checks could have but that's not a great sign uh that definitely did not work uh this is I'm guessing a Luma sample uh so no does not not work against Luma Steeler whether that's because this isn't VM aware or not I don't know and it was successfully seemingly able to drop another piece of malware although I think Defender may have blocked that so good good work Windows Defender uh not so good work uh to scarecrow here okay so yeah there's some dropper activity that was blocked by Defender uh but we already got deep enough that this is clearly not going to stop it so we can we can try it we can try some different ones cuz you can usually you can find a variety but it's about the same as what someone in my Discord said that a lot of these checks they exist enough to be annoying but they don't they don't exist enough that you could uh reliably use them as a source of uh okay no this is a this is just a random pay to cheat let's find a actual fake I don't know why they have this horrendously bad thumbnail oh okay so now let's see what this one does I'm going to turn off Defender before we run this one just to make sure that that doesn't intervene I do want to see now that looked more like a VMware failure uh no seems they're okay they're using a random port for TLS instead of of Port 80 but yeah no and that's a similar commel and control server so nope this one worked too yep and just to just to test it again I just ran it again just to make sure that was the source of the hit and y y no it worked so is this very effective uh one and three it would work against pylon it would not work against either of the Steelers I found in the wild and I don't know if the Russian local thing that they had mentioned even got implemented but it's kind of an interesting Stone of course it seems to me like this is probably not worth installing because it's more likely to cause problems with anti like software that doesn't like VMS than it is to prevent malware but but maybe with enough time this can improve it's a definitely a very cool idea so that's going to be all for now bye

Info

Channel: Eric Parker

Views: 143,625

Rating: undefined out of 5

Keywords:

Id: zTOKEKQ8ITA

Channel Id: undefined

Length: 10min 36sec (636 seconds)

Published: Fri Jun 21 2024