Re: (pacsec bonus) Re: VMWare Detection?

[awalters () 4tphi net]

Can we possibly abstract for a moment?  These arguments seem very similar 
to those presented by Fred Cohen when he was working on DTK 
(http://www.all.net/dtk/dtk.html). Fred's and other projects actually laid 
a lot of the deception ground work before honey* were reinvented. They 
were also realistic about the uses of deception.

When Drew and I were playing around with this stuff in 2002
(http://seclists.org/lists/honeypots/2002/Oct-Dec/0029.html), vmchk (based 
off of http://chitchat.tripod.co.jp/vmware/) was simply one part of a 
larger framework we referred to as the Funnynet ToolKit (FTK) "Tracking 
Honeynets". FTK, in 
fact, grew out of discussions in Lance's basement during the Honeynet 
meeting that fall. The Honeynet project seemed directed towards 
virtualization and useability but no one seemed interested in the 
consequences.  So we decided to build a framework of tools that would 
allow us to detect the "tools and configuration of tools" being used by 
the honeynet project.  For example, there where other tools in FTK used to 
fingerprint rate limiting or the rules being used by snort-inline, etc. 
Others had similar ideas and took it further (ie Phake Phrack 
http://www.phrack.org/fakes/p62/p62-0x07.txt).

Yes, the virtualization and homogenous packaging make honey* easier to use 
but what are the implications. I know it makes the "research" easier to 
"sell to the customer". To us it wasn't simply a matter of detecting 
VMware, one piece of evidence, but it seemed like a much bigger issue.

I'm still waiting for the answer to the question posed at cansec
"Why Honeypots Suck?"


AW