Re: (pacsec bonus) Re: VMWare Detection?

["Kurt Seifried" <bt () seifried org>]

Computer BIOS
One way to identify VMware systems is by their BIOS, there are a number of 
free windows utilities that can query the BIOS for information and even 
extract a copy of the BIOS from the VMware system. The good news is that 
from within Windows NT/2000 you cannot easily access the BIOS and send 
commands as direct access to the hardware is blocked. You can however easily 
query the BIOS for information from within the guest operating system you 
will be given the following information:

BIOS ID: unknown
BIOS Date: 10/16/01
BIOS Signon: unknown
BIOS Type: PhoenixBIOS 4.0 Release 6.0 licensed to Intel
Super I/O: unknown
Chipset: Intel 440BX/ZX rev 1Which is quite different then the actual BIOS 
in use on the host operating system.

As well there are a number of utilities to make a copy of the bios, BIOS 
Wizard is available for free and can easily make a copy of the system bios, 
considering that the BIOS VMware uses is relatively unique it becomes quite 
easy to check a signature of the BIOS file to see if it is a VMware BIOS. 
Unfortunately there is almost no way to hide this information from a savvy 
attacker, making it an Achilles' heel for VMware honeypot systems. Both 
these utilities are available from: 
http://www.bioscentral.com/misc/downloads.htm. There is a utility for Linux 
and BSD at: http://www.cgsecurity.org/.

The information may have changed since, I originally wrote this in Feb of 
2002 using VMware 3.x I think.

Kurt Seifried, kurt () seifried org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://seifried.org/security/