Honeypots mailing list archives

Re: Building an Honeypot using VMWare

From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 04 Nov 2002 08:32:17 -0800

Hi Bruno and all,

--On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro<bcastro () dei uc pt> wrote:

4. It would be important to hide the VMWare process on the Guest. I need
a tool (or a solution) to cover or hide the VMWare process in both
systems. Ideas?

There are several other ways for an attacker to determine that thecompromised host is a virtual host. For example, a virtual machine'svirtual network adapters have distinctive MAC addresses. Similarly, theBIOS string and information from emulated PCI probes can give away the game.

On the other hand, worms and script kiddies won't care much -- or possiblyeven notice -- that they've compromised a virtual machine. Yes, askilledblackhat might notice and care. But, concealing the virtual nature of ahoneypot from that species is probably beyond the state of the art --possibly a good topic for a master's thesis in itself <grin>.


Cheers,

---------------------------------------------------
Bill McCarty

Current thread:

Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
  - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
    - RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
    - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
    - Re: Building an Honeypot using VMWare Michael (Nov 13)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
  - Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
  - RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
  - Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)