top | item 40715995

(no title)

mafriese | 1 year ago

I don't understand why the software is built how it's built. Why would you want to implement licensing in the future for a software product that only creates fake processes and registry keys from a list: https://pastebin.com/JVZy4U5i . The limitation to 3 processes and license dialog make me feel uncomfortable using the software. All the processes are 14.1MB in size (and basically the scarecrow_process.dll - https://www.virustotal.com/gui/file/83ea1c039f031aa2b05a082c...). I just don't understand why you create such a complex piece of software if you can just use a Powershell script that does exactly the same using less resources. The science behind it only kinda makes sense. There is some malware that is using techniques to check if there are those processes are running but by no means is this a good way to keep you protected. Most common malware like credential stealers (redline, vidar, blahblah) don't care about that and they are by far the most common type of malware deployed. Even ransomware like Lockbit doesn't care, even if it's attached to a debugger. I think this mostly creates a false sense of security and if you plan to grow a business out of this, it would probably only take hours until there would be an open source option available. Don't get me wrong - I like the idea of creating new ways of defending malware, what I don't like is the way you try to "sell" it.

discuss

kazinator|1 year ago

They know that if this idea catches on, a dozen completely free imitations will crop up, so ... the time to grab whatever cash can be squeezed out of this is now.

GordonS|1 year ago

If something like this catches on, attackers will simply start checking the digital signature of the processes, to ensure they are genuine.

jart|1 year ago

Are you telling me this thing spawned 50 new processes on your computer? Could you zip up all the executable files and whatever it installed and upload it somewhere so we can analyze the assembly?

mafriese|1 year ago

This "thing" is always spawning 3 processes at the time. The processes are always the ones from the virustotal link. I can upload the DLL to a file sharing service of your choice if you don't have a VT premium license. I can also provide an any.run link: https://app.any.run/tasks/bc557b04-5025-46a1-a683-aad3b29b9a... (installer) https://app.any.run/tasks/e257e7f2-7837-4ed1-93c8-5d617d75cc... (zip file containing the files). Let me know if you need further info :).

batch12|1 year ago

To your point, I made this a few years ago using powershell. I just created a stub .exe using csc on install and renamed it to match a similar list of binary names. Maybe I will dig it up...

batch12|1 year ago

I uploaded it here. I haven't tested it in years though- https://github.com/0xDigest/odoshi

victor22|1 year ago

Because this is a bullshit idea and a bullshit product lol