This PC Protected By A Sign


I’m sure you’ve seen one of these signs.  You know what I’m talking about.

surveillance sign


You’ve certainly seen houses or other buildings with a rather generic sign on the front lawn that says “This House Protected By A Security System.” It’s very likely that the house actually has no security system at all.  The owner just went out and bought the sign and stuck it in front of the house.  After all, a sign is far cheaper than a real security system, and for a certain class of burglars, is just as effective.   The point is, if the bad guys think you have a burglar alarm, they are likely to bypass your house, whether you really have one or not.

A recent talk by Jarno Niemelä of F-Secure described a similar technique to combat malware.  It’s deceptively simple, and like the lawn sign, costs way less than any anti-malware software you might install.  Here’s how it works:

Many types of malware (especially the more advanced sort) are designed to resist analysis.  That is, they are designed in a way so that if they detect that you are trying to analyze or reverse engineer them, they “play dumb,” and do nothing.  The malware writers do not want you to figure out what they’re doing, so they check your computer to see if you’re using a debugger or other tool to analyze their malware.   If they detect the presence of analysis tools, the malware will not execute its malicious code.  Instead, it will do something innocuous so as not to give itself away.  A malware analyst would then conclude that the malware isn’t malicious, or at least would not be able to figure out how the malware works.

So here’s a brilliantly simple idea:  what if you fool the malware into thinking it’s being analyzed?  What if you configure your PC so that the malware thinks you are a hot-shot malware analyst?  The malware will play dumb and not do anything malicious.  You simply fool the malware just like you fool the burglars with the sign.

So how do you do this?  You simply create some files and registry keys that look like real analysis tools.

For example, you can pretend you’re running in a VMWare environment by adding the following keys to your registry:

"HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/DiskEnum field ”0” Value ”VMWare”
”HKEY_LOCAL_MACHINE/SOFTWARE/VMWare, inc./VMWare Tools ” field ”InstallPath” Value ”c:program filesVMWare”

You can also create dummy files.  Copy a simple program (like notepad.exe) and rename it to look like these:

C:/Program Files/WinPcappcapd.exe
C:/Program Files/WireSharkawshark.exe
C:/Program Files/Etherealethereal.html
C:/Program Files/wiresharkwireshark.exe
C:/Program Files/Microsoft Network Monitor 3/netmon.exe
C:/program files/ollydbg/Ollydbg.exe
C:/program files/sysinternals/Procmon.exe
C:/program files/sysinternals/Procexp.exe
C:/program files/sysinternals/Diskmon.exe
C:/program files/sysinternals/Autoruns.exe
C:/program files/debugging tools for windows/Windbg.exe

To be even sneakier, create a bunch of dummy processes. Name them like these real analysis tools, then execute them on startup:


You can use a simple compiled batch file that sits in an endless loop.  It takes very little memory or CPU time.  Here’s an example:

Start:    echo off
Sleep 600
Goto start

Note: you can find the sleep utility in the Windows Resource Kit, or you can download a similar one here.

Once you’ve added these keys and processes, your PC will look like you’re a professional malware analyst, and lots of malware will simply refuse to execute.

Of course, not all malware looks for the presence of these tools, so this method won’t stop all malware.  But like the lawn sign, it’s a simple and cheap method of adding protection to your PCs.


One response to “This PC Protected By A Sign

Leave a Reply


Nick Kelly

Cybersecurity Engineer, Cisco

Nick has over 20 years of experience in Security Operations and Security Sales. He is an avid student of cybersecurity and regularly engages with the Infosec community at events like BSides, RVASec, Derbycon and more. The son of an FBI forensics director, Nick holds a B.S. in Criminal Justice and is one of Cisco’s Fire Jumper Elite members. When he’s not working, he writes cyberpunk and punches aliens on his Playstation.


Virgilio “BONG” dela Cruz Jr.

CCDP, CCNA V, CCNP, Cisco IPS Express Security for AM/EE
Field Solutions Architect, Tech Data

Virgilio “Bong” has sixteen years of professional experience in IT industry from academe, technical and customer support, pre-sales, post sales, project management, training and enablement. He has worked in Cisco Technical Assistance Center (TAC) as a member of the WAN and LAN Switching team. Bong now works for Tech Data as the Field Solutions Architect with a focus on Cisco Security and holds a few Cisco certifications including Fire Jumper Elite.


John Cavanaugh

CCIE #1066, CCDE #20070002, CCAr
Chief Technology Officer, Practice Lead Security Services, NetCraftsmen

John is our CTO and the practice lead for a talented team of consultants focused on designing and delivering scalable and secure infrastructure solutions to customers across multiple industry verticals and technologies. Previously he has held several positions including Executive Director/Chief Architect for Global Network Services at JPMorgan Chase. In that capacity, he led a team managing network architecture and services.  Prior to his role at JPMorgan Chase, John was a Distinguished Engineer at Cisco working across a number of verticals including Higher Education, Finance, Retail, Government, and Health Care.

He is an expert in working with groups to identify business needs, and align technology strategies to enable business strategies, building in agility and scalability to allow for future changes. John is experienced in the architecture and design of highly available, secure, network infrastructure and data centers, and has worked on projects worldwide. He has worked in both the business and regulatory environments for the design and deployment of complex IT infrastructures.