How does it work?

When hackers install malicious software on a compromised victim, they first check to make sure its safe for them to run. They don't want to get caught and avoid computers that have security analysis or anti-malware tools on them.

Scarecrow takes advantage of this, by running in the background of your computer and 'faking' these indicators. It's super lightweight and tricks malware into thinking your computer is not the place for them to be.

Fake Processes.

Scarecrow will create a number of background processes that don't do anything, but look like security research tools.

Fake registry entries.

Scarecrow creates registry entries to make it look like security tools are installed on your computer.

More to come.

It's early days, were only in Alpha. We will continue to improve how convincing the fake indicators make your computer look over time.

The science

The idea for scarecrow came from reading malware analysis reports. In these reports, you will see that malware first checks for various indicators on the compromised machine. If they exist, the malware will stop, and not infect the victim.

We have collected a list of these indicators, and built them into scarecrow. It will quietly create them in the background of your computer. If you are interested in what these are, you can see them in the scarecrow settings interface, and in a XML configuration file in the scarecrow programs file directory.

You can find some examples here (symantec), here (krebs on security), and here (microsoft).

Who we are

Cyber scarecrow is a project, created and maintained by security professionals from the UK. By day we work with international customers to make them secure. By night, we build cyber scarecrow.