RE: Building an Honeypot using VMWare

["Bruno MAC Castro" <bcastro () dei uc pt>]

Thanks Bill,

I agree with you in everything... But, it would improve the concept of a
Honeypot if the trace of a virtual machine (VMWare) was hard (or
impossible) to find. My goal is to reach a stage where there is no
visible VMWare process in my honeypot. I also know that it is almost
impossible to reach it, but we need high goals to keep us working...
right?
;-)

For a start, I would be happy with a solution (maybe a tool) that hides
or "camouflage" the VMWare process from the OS Process List.

Any ideas?
Regards
Bruno
______________________________________
Bruno Miguel Abrantes de Campos e Castro
Mail To:
bcastro () portugalmail pt
bcastro () dei uc pt
______________________________________

-----Original Message-----
From: Bill McCarty [mailto:bmccarty () apu edu] 
Sent: segunda-feira, 4 de Novembro de 2002 16:32
To: bcastro () dei uc pt; honeypots () securityfocus com
Subject: Re: Building an Honeypot using VMWare

Hi Bruno and all,

--On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro 
<bcastro () dei uc pt> wrote:

> 4. It would be important to hide the VMWare process on the Guest. I
need
> a tool (or a solution) to cover or hide the VMWare process in both
> systems. Ideas?

There are several other ways for an attacker to determine that the 
compromised host is a virtual host. For example, a virtual machine's 
virtual network adapters have distinctive MAC addresses. Similarly, the 
BIOS string and information from emulated PCI probes can give away the
game.

On the other hand, worms and script kiddies won't care much -- or
possibly 
even notice -- that they've compromised a virtual machine. Yes, askilled

blackhat might notice and care. But, concealing the virtual nature of a 
honeypot from that species is probably beyond the state of the art -- 
possibly a good topic for a master's thesis in itself <grin>.

Cheers,

---------------------------------------------------
Bill McCarty