Honeypots mailing list archives
Re: Stealth VM
From: Robert Sandilands <rsandilands () authentium com>
Date: Fri, 07 Nov 2008 09:53:44 -0500
The majority of Wildlist samples will not work in VMWare. Although I agree with your sentiments that VMWare is becoming very common in the enterprise, that is in general not the target for the majority of malware out there: Home users are still the easiest target. Robert Earl wrote:
Had a conversation about this at lunch today where I informed someone that the joke about "Security by the obscurity of running in a VM" days are likely either already over or about to be over. Anyone have any stats or even an educated guess about whether or not bad guys still care if they are in a virtualized env before they take a box? Earl On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino <jfernandez () germinus com> wrote:Stuart Gilchrist-Thomas dijo:Hi, Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporalissuese.g. Timing metrics can give away a VM, and that you canmanuallyalter peripheral identities e.g. virtual network cards etc. I'vealsocreated a company to purchase ip and hosting space to ensure aformof identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)Why hide the fact that the honeypot is running on VM? After all, many environments in production (@datacenters) are running over VM. Those intruders that think that VM == honeypot will change their mindset soon. Regards Javier
-- --------------------------------------------------------------------- Robert Sandilands: Director, AV Disclaimer: http://robert.rsa3.com/disclaimer.html Authentium: Home of Command Software www.authentium.com
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)