The Anti-VM trick that is kinda… personal

April 16, 2022 in Anti-*

I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a scope for some ‘novelty’ approach…

As a hobby, I started jotting down OPSEC failures from random reverse engineers and security professionals. I didn’t go too far, but once you see the list, you will get the gist and can easily expand on it a bit more.

Trust me, this is nothing personal. But yeah, it totally is 🙂

Analysing screenshots shared on social media I was able to jot down some notes on the user names used by the researchers’ boxes/test environments. Some of these user names are generic, and as such, not very helpful, but hey… many actually are pretty specific!

So, a personalized anti-* trick could simply add these known user names to a ‘we don’t run here’ list i.e. if any of these user names is found on the system –> gracefully exit.

Not very complex… but you didn’t see it coming!

Twitter HandleUser name
pr0xylifepr0xylifelab
mrd0xmr.d0x
WietzeWietze
inversecosLina Lau
mohammadaskar2askar
DissectMalwareaniak
falsnegfreddy
Oddvarmoeoddva
mrAn61taro
SBousseadenbouss
vinopaljiriInferno
stvemillertimesteve
x86matthewWin10
0gtweetAdministrator
0gtweetAdmin
jonasLykjonas

Honorary mention:

Twitter HandleUser name
Ledtech3JoeUser

Update

Not all these are correct findings f.ex. see response from proxylife.

Comments are closed.