it also scares off valorant

i love the idea of an anti-malware "spooking" malware away, just like "boo, i'm running vbox tools" "aaah, goodbye"

"we will not share it, or send you spam" tf you want my email and name for then?

cyber scarecrow is so scary that Eric put it in a real VM just in case.

>PC name is lain Oh this guy a serious programmer

summary: prevents you from loading legitimate applications that don't like VMs; does nothing against most malware that don't like VMs. literally the worst of both worlds lol

Honestly this is an absolutely brilliantly hilarious idea, I love it! It's almost like dressing up as a robber and grabbing your TV once you hear someone trying to break into your house and being like "Ooops looks like there's two of us here, while I was here first so yeah" lol 😂

Conversely, when malware observes dumb video games, edu proctor software, hypervisors, etc., then it can reasonably assume it is running directly on a host environment.

That "Safe Exam Browser" thing is a joke anyway. Defeating it is as easy as using a second device.

* scares them in linux *

It would actually be cool if everyone would install it. Then software devs would abandon VM checks if everyone use it for extra security.

it also scares off games It is so dumb that anti-cheats think blocking obvious virtual machines does anything to stop cheaters

they took your advice and actually made a direct download

You know what I like about your videos? You just post desktop and get straight to the point. You also pump out content frequently. Subbing to you today and should have done it sooner - thanks for the fun videos!

that's actually pretty cool, the issues you talked about in the start are pretty big tho.

1:30 what if securety people just installed scarecrow in a VM to trick malware into disabling checks lol?

windows username lain. well. can't say I'm too surprised. nice detail.

He's a genius. Instant promotion to head of NSA. Congrats

I agree, it is a REALLY cool idea to pose as malware researcher to prevent malware from running on your computer

This reminds me of some Worm virus on XP that if it detected that you have the .EXE file, it won't infest you, so you could just put a fake .txt file and mask it to pretend it to be the worm virus, and it won't do anything to you lol

If this also were to become prevelant, what would stop amy halfway sophisticated malware developer for just checking if Scare Crow was installed.

Could it also not be Open source because they do not want Malware devs to look at the code and Notice it?

man i feel like your content is increasing in quality, keep it up! also i really love the 30 minutes malware videos, they always cheer me up.

Startups like to do this thing where they collect user data to show Venture Capitalist firms/individuals that their service has "X amount of users" or some bs. It does actually translate into higher valuations for startups, so that is why they do it. I recommend using fake info for this type of data phishing.

I WAS THINKING OF THIS EXACT SAME THING JUST A WEEK AGO. I GOT RECOMMENDED THIS VIDEO TODAY. I AM ABSOLUTELY TERRIFIED OF THE UNKNOWN MEANING OF THIS.

A simple VM check is to see if SMART attributes can be read... But for userland software, a file recency check to ensure that there are both new and old files on the system

if this becomes popular then it will be straightforward to counter, Simply check for scarecrow, look at the processes directory, analyze the process, etc

I recently discovered you channel and I love it. Any video on VM escaping worms anytime soon?

Oh wow! I was thinking of this some moments ago and then I see you posted a video about it. GG 😊

Okay but the idea of malware developers changing up their malware to check for scarecrow is kinda funny. Because if you then run scarecrow in a virtual machine it would trick the malware into running... Which is kind of the literal opposite of what it was intended to do

dudes accent visited every former british colony

Great video, throughly enjoyed this one

i couldn't believe that he used personal email instead of a temp mail xD

Could you make a video about malware escaping VMs? I heard it was possible but quite extremely rare.

I do have a question. Why does the checks for the PySilon not include checks for drivers like the VFIO drivers? They are the ones commonly used in QEMU/KVM. My gaming VM has none of the blacklisted processes or files and I am not even hiding the fact that it is a VM.

Woo! Thanks for making this video

1:30 are you running software that pretenda that your pc is vm inside actual vm? Wouldn't then all thw software you tested detect the actual vm?

This video is so scary is scared away all youtube ads in my language

I’ve really discovered that windows defender is the only thing you really need. If it’s getting around windows defender, it’s getting around basically whatever you’ve got

The idea is really cool, I would like to someday see an open source version and one I could use on Linux.

"it's not open source", uses windows

Hiya. Whats the software that you are using there to track network requests? Is that a system that is using the wireguard key to tunnel all traffic through that application? If so its pretty cool!

does the undetectable VM allow running programs and resources that would run in a native environment, or are there still limitations?

Dunno if it's new or something, but you can skip the email thing now. It's also possible to temporarily stop it in the scarecrow settings if you have a game like valorant.

The email adress stuff is now optional, there's a "Or skip to direct download here" button.

I'm curious, do you have any good ways to monitor USB traffic for malicious activity? I have to regularly bring in new hardware like keyboards or mice into the enterprise and test and validate them, but I'm struggling to find some straight forward techniques apart from ripping these devices apart to look for unusual usb controllers or hoping if there is anything that the AV picks it up within our dev environments when I'm testing lol - - I do a basic review with process Explorer, and also start a ProcMon trace just to see if anything stands out but I think my trace might be too broad for it. Any advice?

It is definitely a good idea, but not every malware needs to be vm protected, since it usually is the same thing with some extra junk code and a different name

Regarding your comment of detecting fake vms by checking if multiple tools (ex. vbox guest additions and vmware user) are running, a real vm could also use multiple fake tools to trick the malware into thinking its an fake vm, or is my logic flawed?

Great vid, let’s all love Lain

Why the heck is this KZfaq channel so good

The fact that it's not open source sets off some red flags for me. Absolutely nope-ing out right here.

What are you using for capturing network requests?

Not super familiar with anti-VM actions by software, but there are a ton of ways to detect whether you're in a VM. My guess is that most software just uses #1 and #4 below because they can be easily implemented. 1. Check the CPU, CPU flags, and core configuration -- the CPU model string and CPU flags, such as the 'hypervisor' flag; as well as the processor core configuration 2. Check the DMI, SMBIOS, and ACPI information -- BIOS vendor: SeaBIOS, VMware, OVMF; mainboard vendor, memory vendor and model, etc. 3. Check the PCI and USB devices -- this is probably the most difficult part to spoof when attempting to masquerade a VM as a real machine-- even if you use full host passthrough mode and use fully emulated devices for ethernet, disk, and sound, there will likely be an emulated VGA device and emulated keyboard/pointer devices, which would be easy to check for 4. Checking for guest agents (vbox tools, vmware tools, QEMU guest agent, etc.) -- which to me is probably the laziest way and the easiest to defeat. If that is the only thing that Cyber Scarecrow is doing, it's basically useless as mentioned.

The best cyber scarecrow is just Windbg. Every malware fears a debugger

I like the idea - maybe if they had some kind of way of having this built into windows for unknown apps...

Good video!

me when viruses give u a bsod when you're running it on a vm:

0:33 well well well, that's a very deep well

Hi. What are you using as the wg traffic logger?

This is so stupid but actually so smart at the same time

How hard would it be to recreate something similar but open source?

If "legitimate" software doesn't like being tracked what it's doing, likely it's doing something you don't want to see.

Thanks - HitmanPro Alert does something similar to this as well (not sure what method it uses)

whats the software youre using for intercepting traffic

The user is Lain? Seems fitting.

Eric is blowing up on youtube lately :)

what is that port viwer thing?

This thing might be perfect when we modified the core count, disk name, gpu driver name, motherboard name and other hardware replaced into vmware or vbox stuff

you need to update the videos in the "More Malware Investigation Videos" section to be more recent malware themed ones

I've had this same idea for ages!

this is such an incredible niche edge case way of dealing with malicious software lmao why

Do you know if it's fine to make a Windows VM for malware testing on Windows? Or is there a possibility it could make it's way out of the VM onto my main system and would be better to use Linux?

Malware (Waluigi voice): Wahh! I will steal all your info **Thinks is in a vm** Malware: Bye have a great time... **PS2 Boot up sound**

if Malware checks for this fake VM software and would run normal as a result, it would be awesome to install this tool in a VM as the malware would be running in a VM assuming it was on a real HW.

if the source code isnt available, for the malware its harder to find out the cues for vm are just flukes

I CAN'T GET OVER THIS. IT'S LIKE A DIGITAL SCARECROW. AND IT WORKS.

Such things existed years ago when I just stepped into this field. The reason why they didn't become popular is that they don't work. VMs are so common nowadays that I rarely run into samples allergic to VMs anymore. In simple words, do not use this. Even worse, it's closed source. It's not trustworthy AND not useful.

the first thing u said is literally what i was thinking

interesting topic👍

Honestly, running loonix makes more sense at that point. Runs better, less parties to trust, less bloat 👍

i should have thought about this sooner

1:50 I'm hearing duvet in my head

"Scary processes" [Discord pops up] 😆

You can run the games in a VM tweaked to look like it is not a VM.

there is a patch for safe exam browser to make it work with vm ware. using linux or mac os you need VMs for a lot of software in school

This is actually a super clever idea lol

so it just runs do-nothing processes with specific names? isn't that easier and safer to replicate in open source? i wouldn't typically run closed source "security software" on my machine

I was just thinking of this after your last one

Cool in concept but I have my doubts that it'll ever be useful. As you said it will most likely stop you from using something you want to. And they are banking on malware to please only do VM detection and not start detecting Scarecrow.

Copy your user folder on a fileshare and set a GPO that programs executed on a file share can't access the internet.

I'm already scared by that thing asking for your email address

Wouldn't you want to verify the malware you're using to check if scarecrow works actually checks for it being in a vm?

Hi Eric, I have couiple of questions for you; Is Genp safe? Is the 2023 version of lightroom by thumper TM on tpb safe? I need lighroom and I trust your opinion.

Joining the Lain squad.

what tool tou use to see the traffic?

Running this software to pretend you're a VM, running on a VM :D

Is there a tool that does the reverse??

They seem to have removed the email requirement, there is a "Or skip to direct download here" link now

what we learned today: some malware developers don't care about VMs and windows defender has got hands

what is the best way hide debugger check for latest vmprotect (3.8.8) or themida , not sycllahide or titanhide or kernel mode. only for usermode