RE: Building an Honeypot using VMWare

["Bruno MAC Castro" <bcastro () dei uc pt>]

Thanks Edward.

My Windows 2kPro Box has a VMWareService.exe (and a VMWareTray.exe from
VMWare Tools) running on the TaskManager GUI. 

Yes, I will remove VMWare Tools.

If I could hide the main service (VMWareService.exe) it would be harder
to find the virtual platform (only for kiddies).

Any ideas?
Regards,
Bruno
______________________________________
Bruno Miguel Abrantes de Campos e Castro
Mail To:
bcastro () portugalmail pt
bcastro () dei uc pt
______________________________________

-----Original Message-----
From: Edward Balas [mailto:ebalas () iu edu] 
Sent: segunda-feira, 4 de Novembro de 2002 19:02
To: Bruno MAC Castro
Cc: 'Bill McCarty'; honeypots () securityfocus com
Subject: RE: Building an Honeypot using VMWare

On Mon, 4 Nov 2002, Bruno MAC Castro wrote:

> Thanks Bill,
>
> I agree with you in everything... But, it would improve the concept of
a
> Honeypot if the trace of a virtual machine (VMWare) was hard (or
> impossible) to find. My goal is to reach a stage where there is no
> visible VMWare process in my honeypot. I also know that it is almost
> impossible to reach it, but we need high goals to keep us working...
> right?
> ;-)
There arent any vmware processes running per se in the honeypot the 
problem is that many OSs recognize the disk as of vmware type, and
the same for the ethernet and other such devices.  Regarding the MAC 
address that is configuratable so its no issue.
 
Also dont install the vmware-tools on the guest.

> For a start, I would be happy with a solution (maybe a tool) that
hides
> or "camouflage" the VMWare process from the OS Process List.
>
> Any ideas?
> Regards
> Bruno
> ______________________________________
> Bruno Miguel Abrantes de Campos e Castro
> Mail To:
> bcastro () portugalmail pt
> bcastro () dei uc pt
> ______________________________________