Honeypots mailing list archives
Re: Stealth VM
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Thu, 06 Nov 2008 13:19:07 +0100
Stuart Gilchrist-Thomas dijo:
Hi, Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc. I've also created a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)
Why hide the fact that the honeypot is running on VM? After all, many environments in production (@datacenters) are running over VM. Those intruders that think that VM == honeypot will change their mindset soon. Regards Javier
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)