Honeypots mailing list archives
Re: Building an Honeypot using VMWare
From: "Ali Saifullah Khan" <whipaz () gem net pk>
Date: Tue, 12 Nov 2002 12:25:10 +0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Salutations all ! Firstly, rightly pointed out though but requiring scrutiny is that the system() call will not take arguments as easily as execv*() calls. Also, there is the problem of parsing more arguments by conitnued use of system(). Alberto Gonzalez wrote :
Now most attackers that break into a honeypot, the first thing she does is install a rootkit. Rootkits check for other rootkits if non found, install theirs. Your /bin/ps would be useless at this point since it will install a trojaned binary.
I dont think thats entirely true, as what Mr. Faisal probably suggested was trojanning the ps binary in the essence of the word...it doesn't directly mean the use of previous or already published trojans/rootkits. The rootkits look for other rootkits which exhibit behaviour already known of. It would be stupid for someone to trojan a binary along existing trends, and i'm sure Mr. Faisal was not suggesting that. The understanding of the essence of the word "trojan" is required here.
(dev@cervello)(~) dmesg |grep VMware hdc: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive Vendor: VMware, Model: VMware Virtual S Rev: 1.0 --------------------------------------------------------------------- ------------------------------ Now as to the hiding process, if you dont install vmware-tools there wont be any vmware processes running. As to removing any presence of Vmware, I would LOVE to hear how..
renaming the service executables, renaming real-time service descriptions per port access, renaming descriptions on execution is possible, with appropriate programs which get the latter 2 jobs done. There is room for more discussion on this particular section of this thread. Ali Saifullah Khan, Asstt. Project Administrator, GemSEC Information Security Division, Gem Internet Services, (Pvt.) Ltd. Key ID : 0xA3B7379C Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPdCs0tiHypejtzecEQJS1wCghgF7LKBTP+Dq4w8rv+Qp/VovvtwAn10/ /PgTPJD2YDeqiTbhzpNPQxYg =OYKA -----END PGP SIGNATURE-----
Current thread:
- Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)