I wonder if making a user endpoint actually look like a VM could help? Maybe adding some VM like flags to throw off some malware? I feel that bad actors would catch on, but it might offer some protection for some low hanging vulnerabilities?

I guess that's a gap for a new tool to be developed. Emulate as much hardware as possible, to make a VM look like a real PC. Maybe also faking the CPU ID, to fake another CPU type with less performance (from the same series), so malware can't even detect the lower performance caused by virtualization, or lower core count.

This has applications for other kinds of malware. I used to work in ads, to put it mildly, and all this stuff about blocking the trackers at the DNS level or something? Very silly stuff.

If you want to fuck up surveillance capitalism, you send plausible but wrong information to the trackers. There are a zillion ways to do this: let one through now and again and replay it, do a P2P browser extension that proxies you and someone near you through each other, subtly corrupt it, bounce it off a mullvad node. The possibilities are endless.

If you got a fair number of people doing it, you could even have some collective bargaining, like let some of the extreme value conversion stuff through in return for concessions on the more egregious tracking-for-the-sake-of-tracking.

Sure they'll checksum and shit, but that's a cat-and-mouse game they lose: the typical tracker cookie fire isn't worth shit, it's Superman 2 fractions of a basis point, so even modest effort playing smart against it drives the effective CPM negative.

> Your first impulse might be to use DLL hooking and patch the cimwin32. But that’s smol pp way of thinking. We can do better.

What's wrong with DLL hooking though?

Fascinating article. It prompted two questions for me:

1) With the level of expertise, would it be as easy, or easier, to modify the check in the malware itself?

2) How much work would it be for a something like KVM to fake absolutely everything about a PC so it was impossible to tell it was a VM?

> Some malware samples are known to do various checks to determine if they are running in a virtual machine.

Not just malware, but some apps are known to do this too, e.g. WeChat.

There needs to be a better virtual machine that tries to emulate everything, including random walks for GPS, IMU noise, barometric noise, temperature fluctuations etc.

Pretty funny that a blog post talking about complex and innovative ways to help investigate malware has a block of the lowest quality, scummiest ads that probably lead to malware.

There are moments where I consider myself a good engineer and then I read posts like this and realize im a very little fish in a very big ocean

Misread the title as "I made my VM think it WAS a CPU fan" and was a bit disappointed to find the actual article was not about a VM with an identity crisis.

I haven't bought a computer cooled by a fan in over 13 years.