Honeypots mailing list archives

Re: Stealth VM

From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Thu, 06 Nov 2008 13:19:07 +0100

Stuart Gilchrist-Thomas dijo:

Hi,

Does anyone have any pointers to evidence or advice on hiding or
reducing the detection of VM honey pots. I know of temporal issues
e.g. Timing metrics can give away a VM, and that you can manually
alter peripheral identities e.g. virtual network cards etc. I've also
created a company to purchase ip and hosting space to ensure a form
of identity in depth. But I still lack experience in preventing
detection. Can you help? Are you my only hope? ;)


Why hide the fact that the honeypot is running on VM? After all, many
environments in production (@datacenters) are running over VM. Those
intruders that think that VM == honeypot will change their mindset soon.

Regards

Javier

Current thread:

Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
  - RE: Stealth VM Michael Owen (Nov 06)
    - Re: Stealth VM Stuart Thomas (Nov 07)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
  - Re: Stealth VM Robert Sandilands (Nov 07)
    - Re: Stealth VM Thorsten Holz (Nov 08)
    - Re: Stealth VM Robert Sandilands (Nov 10)
    - Re: Stealth VM Thorsten Holz (Nov 10)