Honeypots mailing list archives
RE: Building an Honeypot using VMWare
From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Mon, 4 Nov 2002 12:39:14 -0800 (PST)
Have you tried using trojanned binary of ps ? Hide vmware process the way intruders hide their psybnc processes. or say: cat /bin/ps #!/bin/sh /bin/.psreal $1 | grep -v "vmware" | grep -v "psreal" Hide some more processes, im not suggesting to use similar shell scripts, but just giving you an idea. You could code it in perl, and compile it using perlcc, or could compile it in a C code, using system(); Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202 Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202 --- "Bruno MAC Castro" <bcastro () dei uc pt> wrote:
Thanks Bill, I agree with you in everything... But, it would improve the concept of a Honeypot if the trace of a virtual machine (VMWare) was hard (or impossible) to find. My goal is to reach a stage where there is no visible VMWare process in my honeypot. I also know that it is almost impossible to reach it, but we need high goals to keep us working... right? ;-) For a start, I would be happy with a solution (maybe a tool) that hides or "camouflage" the VMWare process from the OS Process List. Any ideas? Regards Bruno -----Original Message----- From: Bill McCarty [mailto:bmccarty () apu edu] Sent: segunda-feira, 4 de Novembro de 2002 16:32 To: bcastro () dei uc pt; honeypots () securityfocus com Subject: Re: Building an Honeypot using VMWare Hi Bruno and all, --On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro <bcastro () dei uc pt> wrote:4. It would be important to hide the VMWare process on the Guest. Ineeda tool (or a solution) to cover or hide the VMWare process in both systems. Ideas?There are several other ways for an attacker to determine that the compromised host is a virtual host. For example, a virtual machine's virtual network adapters have distinctive MAC addresses. Similarly, the BIOS string and information from emulated PCI probes can give away the game. On the other hand, worms and script kiddies won't care much -- or possibly even notice -- that they've compromised a virtual machine. Yes, askilled blackhat might notice and care. But, concealing the virtual nature of a honeypot from that species is probably beyond the state of the art -- possibly a good topic for a master's thesis in itself <grin>.
_____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
Current thread:
- Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)