Honeypots mailing list archives
Re: Building an Honeypot using VMWare
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 04 Nov 2002 08:32:17 -0800
Hi Bruno and all,--On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro <bcastro () dei uc pt> wrote:
4. It would be important to hide the VMWare process on the Guest. I need a tool (or a solution) to cover or hide the VMWare process in both systems. Ideas?
There are several other ways for an attacker to determine that the compromised host is a virtual host. For example, a virtual machine's virtual network adapters have distinctive MAC addresses. Similarly, the BIOS string and information from emulated PCI probes can give away the game.
On the other hand, worms and script kiddies won't care much -- or possibly even notice -- that they've compromised a virtual machine. Yes, askilled blackhat might notice and care. But, concealing the virtual nature of a honeypot from that species is probably beyond the state of the art -- possibly a good topic for a master's thesis in itself <grin>.
Cheers, --------------------------------------------------- Bill McCarty
Current thread:
- Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)