Honeypots mailing list archives
Re: Stealth VM
From: Michael Bailey <mibailey () eecs umich edu>
Date: Mon, 6 Oct 2008 07:52:08 -0400
We discussed the extent of and several techniques for honeypot fingerprinting in our paper "Towards an Understanding of Anti- virtualization and Anti-debugging Behavior in Modern Malware" (http://www.eecs.umich.edu/~mibailey/publications/dsn08_final.pdf ). Techniques for avoiding this fingerprinting, however, are left as an exercise for the reader ;)
-* michael On Oct 6, 2008, at 3:20 AM, Stuart Gilchrist-Thomas wrote:
Hi,Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc. I've also created a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)Many thanks. --- Sent whilst mobile. -original message- Subject: Re: Honeypot VMs From: pinowudi <pinowudi () gmail com> Date: 06/10/2008 00:13 HPC http://www.honeyclient.org/trac Jason Lewis wrote:Are there any honeypot VM resources? I've seen the SPARSA one, but thelink is dead. jas
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)