[iforgotpassword]

Narrator: and so the arms race continues.

I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But on that note, I wondered the same thing at my last workplace where we'd only run windows in virtual machines. Sometimes these were quite outdated regarding system and browser updates, and some non-tech staff used them to browse random websites. They were never hit by any crypto malware and whatnot, which surprised me a lot at first, but at some point I realized the first thing you do as even a halfway decent malware author is checking whether you run in a virtualized environment.

[curtisblaine]

> I guess if this gets enough attention, malware will just add more sophisticated checks and not just look at the exe name.

But more sophisticated detection means bigger payload (making the malware easier to detect) and more complexity (making the malware harder to make / maintain), so mission accomplished.

[saagarjha]

Not by much. Probably less effort than you're putting in trying to avoid the malware, so it's a net loss.

[xiphias2]

The more scarecrow is installed, the easier it gets for real security researchers to hide from these checks and detect viruses. So actually the dynamic helps security research.

[saagarjha]

That's not how this works.

[GordonS]

Nope, just check the process executable's digital signature - pretty simple.

[oefrha]

“Sophisticated” detection can be as simple as checking rss and pcpu, the bullshit decoy processes probably aren’t wasting a lot of CPU and RAM, otherwise might as well run the real things; if they are, well, just avoid, who cares. So no, it’s not going to meaningfully complicate anything.

[curtisblaine]

Wouldn't that be more fragile though? CPU usage is not constant in time, so if - again - you're not sophisticated enough, you get more false negatives / positives, depending on which side of the heuristic you err.

[oefrha]

This is only useful for dragnet malware targeting the masses, where false positives/negatives have low impact to begin with. High value targets can run the real programs if this is proven to have any effect — the average corporate IT can approve some more bloat for security, no problem. Also, you take a sample.

[fancythat]

This works, I can confirm. Majority of malware threat running in a VM as a sign of researcher doing the malware analysis.

I am recommending doing this for over 10 years now.

[mdip]

That's where I wonder about a tool like this interfering with legitimate software.

For example, I believe the anti-cheat software used by games like Fortnite looks for similar things -- my understanding is that it, too, will refuse to start when it is executing in a VM[0]. As a teenager (90s), I remember several applications/games refusing to start when I'd attached a tracing process to them. They did this to stop exactly what I was doing: trying to figure out how to defeat the software licensing code. I haven't had a need to do that since the turn of the century but I'd put $10 on that still being a thing.

So you end up with a "false positive", and like anti-virus software, it results in "denial of service." But does anti-virus's solution of "white list it" apply here? At least with their specific implementation, it's "on or off", but I wonder if it's even possible to alter the application in a way that could "white list a process so it doesn't see the 'malware defeat tricks' this exposes." If not, you'd just have to "turn off protection" when you were using that program. That might not be practical depending on the program. It's also not likely the vendor of that program will care that "an application which pretends it's doing things we don't like" breaks their application unless it represents a lot of their install base.

[0] I looked into it a few years ago b/c I run Tumbleweed and it's a game the kids enjoy (I'm not a huge fan but my gaming days have been behind me for a while, now) ... I had hoped to be able to expose my GPU to the VM enough to be able to play it but didn't bother trying after reading others' experiences.

[hurutparittya]

What do you mean by 'legitimate software' exactly? If you described what a modern anti-cheat solution does to someone without telling them what it is, they'd automatically call it malware. The similarity really is uncanny. It almost feels like the difference between them is more of a technicality.

[fancythat]

You are right, some games, especially multiplayer ones will refuse to work in the VM to prevent cheating, but this is, of course, the business decision on their side. You can always construct the software in such a way that when it detects something suspicious on the system it ceases to function: some copy protections looked up for change in the network card hardware id as developers presumed it is highly unlikely someone will change network interface, but that stopped to be common, when people started using on-board interfaces that change with every motherboard change.

There is also a difference when using commercial stuff such as vmware instead of qemu or virtualbox as open source is more suitable to be tailored to the specific thing, in this case, cheating.

In the end, this approach works well for slowing done malware as there is less risk for normal software to allow working inside of vm in contrast to malware that should be coded to be extra paranoid in order to avoid as many tar pits as possible.