[wruza]

Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd. A shady concept overall, cause if you occasionally run malware on your pc, it’s already over.

Downloading a random exe from a noname site/author to scare malware sounds like another crazy security recipe from your layman tech friend who installs registry cleaners and toggles random settings for “speed up”.

[bux93]

Take malware that is part of a botnet. Its initial payload is not necessarily damaging to the host, but is awaiting instructions to e.g. DDOS some future victim.

The authors will want the malware to spread as far and wide as it can on e.g. a corporate network. So they need to make a risk assessment; if the malware stays on the current computer, is the risk of detection (over time, as the AV software gets updates) higher than the opportunity to use this host for nefarious purposes later?

The list[1] of processes simulated by cyber scarecrow are mostly related to being in a virtual machine though. Utilities like procmon/regmon might indicate the system is being used by a techie. I guess the malware author's assumption is that these machines will be better managed and monitored than the desktop/laptop systems used by office workers.

[1] https://pastebin.com/JVZy4U5i

[jeroenhd]

Many pieces of malware are encrypted and obfuscated to prevent analysis. Often, they'll detect virtual machines to make it harder for people to analyse the malware. Plenty of malware hides the juicy bits in a second or third stage download that won't trigger if the dropper is loaded inside of a VM (or with a debugger attached, etc.).

Similarly, there have also been malware that will deactivate itself when it detects signs of the computer being Russian; Russia doesn't really care about Russian hackers attacking foreign countries (but they'll crack down on malware spreading within Russia, when detected) so for Russian malware authors (and malware authors pretending to be Russian) it's a good idea not to spread to Russian computers. This has the funny side effect of simply adding a Russian keyboard layout being enough to prevent infection from some specific strains of malware.

This is less common among the "download trustedsteam.exe to update your whatsapp today" malware and random attack scripts and more likely to happen in targeted attacks at specific targets.

This tactic probably won't do anything against the kind of malware that's in pirated games and drive-by downloads (which is probably what most infections are) as I don't think the VM evasion tactics are necessary for those. It may help protect against the kind of malware human rights activists and journalists can face, though. I don't know if I'd trust this particular piece of software to do it, but it'll work in theory. I'm sure malware authors will update their code to detect this software if this approach ever takes off.

[joshstrange]

> Why does malware “stop” if it sees AV? Sounds as if it wanted to live, which is absurd.

Malware authors add in this feature so that it’s harder for researchers to figure out how it works. They want to make reverse engineering their code more difficult.

I agree with everything else you said.

[crazygringo]

Does it really make it that much more difficult?

If these were laypeople that would then give up, sure.

But I'm surprised that it's even worth malware authors' time to put in these checks. I can't imagine there's even a single case of where it stopped malware researchers in the end. What, so it takes the researchers a few hours or a couple of days longer? Why would malware authors even bother?

(What I can understand is malware that will spread through as many types of systems as possible, but only "activate" the bad behavior on a specific type of system. But that's totally different -- a whitelist related to its intended purpose, not a blacklist to avoid security researchers.)

[nic547]

It's not about the usual AV software, but about "fake" system used to try and detect and analyse malware. AV Vendors and malware researcher in general use such honeypots to find malware that hasn't been identified yet.

This software seems to fake some idiciators that are used by malware to detect wheter they're on a "real system" or a honeypot.

[qwery]

It's not really about "normal" antivirus programs, but tools used by security researchers. It's well-known that more sophisticated malware often try to avoid scrutiny by not running, or masking their intended purpose if the environment looks "suspicious".

A paranoid online game like e.g. Test Drive Unlimited, might not launch because the OS says it's Windows Server 2008 (ask me how I know). A script in a Word document might not deliver its payload if there are no "recently opened documents".

The idea with this thing is to make the environment look suspicious by making it look like an environment where the malware is being deliberately executed in order to study its behaviour.

[RockRobotRock]

Even back in my script kiddy days, 10 years ago, I remember RATs and cryptors would all have a kill switch option if it detected it was running on a VM.