Honeypots mailing list archives
RE: (pacsec bonus) Re: VMWare Detection?
From: Hrvoje Spoljar <spole () x pbf hr>
Date: Fri, 19 Nov 2004 19:04:04 +0100
On Fri, 2004-11-19 at 18:25, M. Shirk wrote:
It would be upsetting if the next ScanOfTheMonth had a binary with this capability. No one could get the malware to execute because it would shutdown after detecting the VMWare environment. :-)
That is very likeley to happen :)... last finished IIRC sotm32, RaDa.exe had different behaviour on VMWare (did nothing) whereas on the real machine it was troyan bot:)) I think that Lance has made a good point with noticing possible benefits of running production in VMWare... but on the other hand, it's not only VMWare that could affect blackhat's from turning away from VMWare... because if they notice any other real or framed activity, I think that the fact that it runs on VMWare will not turn them away from the pot. just my 2c -- ________ ___ __ ___ / __) . \ \ | | __) Hrvoje Å poljar ICQ: 53000945 |__ | |__/ | |_| __) http://spole.pbf.hr/ irc.oftc.net#RoCkY (____'__| \___/___|___) hrvoje.spoljar () x pbf hr mobile:00385989291593
Current thread:
- RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)