Re: Stealth VM

[Robert Sandilands <rsandilands () authentium com>]

The majority of Wildlist samples will not work in VMWare.

Although I agree with your sentiments that VMWare is becoming very
common in the enterprise, that is in general not the target for the
majority of malware out there: Home users are still the easiest target.

Robert

Earl wrote:
> Had a conversation about this at lunch today where I informed 
> someone that the joke about "Security by the obscurity of running 
> in a VM" days are likely either already over or about to be over.
>
> Anyone have any stats or even an educated guess about whether or 
> not bad guys still care if they are in a virtualized env before 
> they take a box?
>
> Earl
>
> On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino 
> <jfernandez () germinus com> wrote:
>   
> > Stuart Gilchrist-Thomas dijo:
> >     
> > > Hi,
> > >
> > > Does anyone have any pointers to evidence or advice on hiding or
> > > reducing the detection of VM honey pots. I know of temporal 
> > >       
> > issues
> >     
> > > e.g. Timing metrics can give away a VM, and that you can 
> > >       
> > manually
> >     
> > > alter peripheral identities e.g. virtual network cards etc. I've 
> > >       
> > also
> >     
> > > created a company to purchase ip and hosting space to ensure a 
> > >       
> > form
> >     
> > > of identity in depth. But I still lack experience in preventing
> > > detection. Can you help? Are you my only hope? ;)
> > >       
> > Why hide the fact that the honeypot is running on VM? After all, 
> > many
> > environments in production (@datacenters) are running over VM. 
> > Those
> > intruders that think that VM == honeypot will change their mindset 
> > soon.
> >
> > Regards
> >
> > Javier
> >     


-- 
---------------------------------------------------------------------
Robert Sandilands: Director, AV
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com