Pretending to be a VM to STOP Malware 

it also scares off valorant

i love the idea of an anti-malware "spooking" malware away, just like "boo, i'm running vbox tools" "aaah, goodbye"

"we will not share it, or send you spam" tf you want my email and name for then?

cyber scarecrow is so scary that Eric put it in a real VM just in case.

Honestly this is an absolutely brilliantly hilarious idea, I love it! It's almost like dressing up as a robber and grabbing your TV once you hear someone trying to break into your house and being like "Ooops looks like there's two of us here, while I was here first so yeah" lol 😂

summary: prevents you from loading legitimate applications that don't like VMs; does nothing against most malware that don't like VMs. literally the worst of both worlds lol

Conversely, when malware observes dumb video games, edu proctor software, hypervisors, etc., then it can reasonably assume it is running directly on a host environment.

>PC name is lain Oh this guy a serious programmer

That "Safe Exam Browser" thing is a joke anyway. Defeating it is as easy as using a second device.

it also scares off games It is so dumb that anti-cheats think blocking obvious virtual machines does anything to stop cheaters

* scares them in linux *

It would actually be cool if everyone would install it. Then software devs would abandon VM checks if everyone use it for extra security.

they took your advice and actually made a direct download

You know what I like about your videos? You just post desktop and get straight to the point. You also pump out content frequently. Subbing to you today and should have done it sooner - thanks for the fun videos!

that's actually pretty cool, the issues you talked about in the start are pretty big tho.

windows username lain. well. can't say I'm too surprised. nice detail.

1:30 what if securety people just installed scarecrow in a VM to trick malware into disabling checks lol?

He's a genius. Instant promotion to head of NSA. Congrats

I agree, it is a REALLY cool idea to pose as malware researcher to prevent malware from running on your computer

If this also were to become prevelant, what would stop amy halfway sophisticated malware developer for just checking if Scare Crow was installed.

man i feel like your content is increasing in quality, keep it up! also i really love the 30 minutes malware videos, they always cheer me up.

if this becomes popular then it will be straightforward to counter, Simply check for scarecrow, look at the processes directory, analyze the process, etc

I WAS THINKING OF THIS EXACT SAME THING JUST A WEEK AGO. I GOT RECOMMENDED THIS VIDEO TODAY. I AM ABSOLUTELY TERRIFIED OF THE UNKNOWN MEANING OF THIS.

I recently discovered you channel and I love it. Any video on VM escaping worms anytime soon?

Oh wow! I was thinking of this some moments ago and then I see you posted a video about it. GG 😊

A simple VM check is to see if SMART attributes can be read... But for userland software, a file recency check to ensure that there are both new and old files on the system

Great video, throughly enjoyed this one

Startups like to do this thing where they collect user data to show Venture Capitalist firms/individuals that their service has "X amount of users" or some bs. It does actually translate into higher valuations for startups, so that is why they do it. I recommend using fake info for this type of data phishing.

Could it also not be Open source because they do not want Malware devs to look at the code and Notice it?

dudes accent visited every former british colony

i couldn't believe that he used personal email instead of a temp mail xD

Could you make a video about malware escaping VMs? I heard it was possible but quite extremely rare.

Woo! Thanks for making this video

The idea is really cool, I would like to someday see an open source version and one I could use on Linux.

Okay but the idea of malware developers changing up their malware to check for scarecrow is kinda funny. Because if you then run scarecrow in a virtual machine it would trick the malware into running... Which is kind of the literal opposite of what it was intended to do

Hiya. Whats the software that you are using there to track network requests? Is that a system that is using the wireguard key to tunnel all traffic through that application? If so its pretty cool!

I’ve really discovered that windows defender is the only thing you really need. If it’s getting around windows defender, it’s getting around basically whatever you’ve got

Why the heck is this RU-vid channel so good

1:30 are you running software that pretenda that your pc is vm inside actual vm? Wouldn't then all thw software you tested detect the actual vm?

The best cyber scarecrow is just Windbg. Every malware fears a debugger

The email adress stuff is now optional, there's a "Or skip to direct download here" button.

Dunno if it's new or something, but you can skip the email thing now. It's also possible to temporarily stop it in the scarecrow settings if you have a game like valorant.

I do have a question. Why does the checks for the PySilon not include checks for drivers like the VFIO drivers? They are the ones commonly used in QEMU/KVM. My gaming VM has none of the blacklisted processes or files and I am not even hiding the fact that it is a VM.

This video is so scary is scared away all youtube ads in my language

"it's not open source", uses windows

The fact that it's not open source sets off some red flags for me. Absolutely nope-ing out right here.

It is definitely a good idea, but not every malware needs to be vm protected, since it usually is the same thing with some extra junk code and a different name

I'm curious, do you have any good ways to monitor USB traffic for malicious activity? I have to regularly bring in new hardware like keyboards or mice into the enterprise and test and validate them, but I'm struggling to find some straight forward techniques apart from ripping these devices apart to look for unusual usb controllers or hoping if there is anything that the AV picks it up within our dev environments when I'm testing lol - - I do a basic review with process Explorer, and also start a ProcMon trace just to see if anything stands out but I think my trace might be too broad for it. Any advice?

I like the idea - maybe if they had some kind of way of having this built into windows for unknown apps...

Great vid, let’s all love Lain

Malware (Waluigi voice): Wahh! I will steal all your info **Thinks is in a vm** Malware: Bye have a great time... **PS2 Boot up sound**

does the undetectable VM allow running programs and resources that would run in a native environment, or are there still limitations?

The user is Lain? Seems fitting.

This reminds me of some Worm virus on XP that if it detected that you have the .EXE file, it won't infest you, so you could just put a fake .txt file and mask it to pretend it to be the worm virus, and it won't do anything to you lol

I CAN'T GET OVER THIS. IT'S LIKE A DIGITAL SCARECROW. AND IT WORKS.

This is so stupid but actually so smart at the same time

Regarding your comment of detecting fake vms by checking if multiple tools (ex. vbox guest additions and vmware user) are running, a real vm could also use multiple fake tools to trick the malware into thinking its an fake vm, or is my logic flawed?

I've had this same idea for ages!

Not super familiar with anti-VM actions by software, but there are a ton of ways to detect whether you're in a VM. My guess is that most software just uses #1 and #4 below because they can be easily implemented. 1. Check the CPU, CPU flags, and core configuration -- the CPU model string and CPU flags, such as the 'hypervisor' flag; as well as the processor core configuration 2. Check the DMI, SMBIOS, and ACPI information -- BIOS vendor: SeaBIOS, VMware, OVMF; mainboard vendor, memory vendor and model, etc. 3. Check the PCI and USB devices -- this is probably the most difficult part to spoof when attempting to masquerade a VM as a real machine-- even if you use full host passthrough mode and use fully emulated devices for ethernet, disk, and sound, there will likely be an emulated VGA device and emulated keyboard/pointer devices, which would be easy to check for 4. Checking for guest agents (vbox tools, vmware tools, QEMU guest agent, etc.) -- which to me is probably the laziest way and the easiest to defeat. If that is the only thing that Cyber Scarecrow is doing, it's basically useless as mentioned.

me when viruses give u a bsod when you're running it on a vm:

Eric is blowing up on youtube lately :)

If "legitimate" software doesn't like being tracked what it's doing, likely it's doing something you don't want to see.

this is such an incredible niche edge case way of dealing with malicious software lmao why

"Scary processes" [Discord pops up] 😆

you need to update the videos in the "More Malware Investigation Videos" section to be more recent malware themed ones

What are you using for capturing network requests?

0:33 well well well, that's a very deep well

Good video!

Thanks - HitmanPro Alert does something similar to this as well (not sure what method it uses)

Pro: It stops anti-cheat from running.

This thing might be perfect when we modified the core count, disk name, gpu driver name, motherboard name and other hardware replaced into vmware or vbox stuff

Hi. What are you using as the wg traffic logger?

I'm already scared by that thing asking for your email address

Plot twist: The malware tricked you after opening it.

i should have thought about this sooner

Joining the Lain squad.

1:50 I'm hearing duvet in my head

what we learned today: some malware developers don't care about VMs and windows defender has got hands

Running this software to pretend you're a VM, running on a VM :D

Cool in concept but I have my doubts that it'll ever be useful. As you said it will most likely stop you from using something you want to. And they are banking on malware to please only do VM detection and not start detecting Scarecrow.

i bet bro clicks on any scam email he finds

the first thing u said is literally what i was thinking

3:44 "borrow" ah yes the classic programmer term for stealing lmfao

This is actually a super clever idea lol

whats the software youre using for intercepting traffic

I was just thinking of this after your last one

i would think something like this would be a "run once and delete after" type thing so any future malware cant detect it was used

Such things existed years ago when I just stepped into this field. The reason why they didn't become popular is that they don't work. VMs are so common nowadays that I rarely run into samples allergic to VMs anymore. In simple words, do not use this. Even worse, it's closed source. It's not trustworthy AND not useful.

Honestly, running loonix makes more sense at that point. Runs better, less parties to trust, less bloat 👍

How hard would it be to recreate something similar but open source?

The idea is pretty interesting but the execution by this 'scarecrow' thing looks pretty shoddy

couldnt the malware devs just look for the scarecrow process as well if it got too popular?

You can run the games in a VM tweaked to look like it is not a VM.

malwares now gonna check and be like "wow bro has both virtualbox addtions and vmware tools installed." ;P

3:04 school pc moment

there is a patch for safe exam browser to make it work with vm ware. using linux or mac os you need VMs for a lot of software in school

if the source code isnt available, for the malware its harder to find out the cues for vm are just flukes

Hi Eric, I have couiple of questions for you; Is Genp safe? Is the 2023 version of lightroom by thumper TM on tpb safe? I need lighroom and I trust your opinion.

Plot Twist: Cyber Scarecrow was actually the virus, scaring you off

if Malware checks for this fake VM software and would run normal as a result, it would be awesome to install this tool in a VM as the malware would be running in a VM assuming it was on a real HW.