Re: Building an Honeypot using VMWare

[Alberto Gonzalez <albertg () cerebro violating us>]

(dev@cervello)(~) dmesg |grep VMware
hdc: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive
 Vendor: VMware,   Model: VMware Virtual S  Rev: 1.0

Now most attackers that break into a honeypot, the first thing she does 
is install a rootkit.
Rootkits check for other rootkits if non found, install theirs. Your 
/bin/ps would be useless
at this point since it will install a trojaned binary. Now as to the 
hiding process, if you dont
install vmware-tools there wont be any vmware processes running. As to 
removing any
presence of Vmware, I would LOVE to hear how..

just my 2cents

   - Albert

Muhammad Faisal Rauf Danka wrote:

> Have you tried using trojanned binary of ps ?
> Hide vmware process the way intruders hide their psybnc processes.
>
> or say:
>
> cat /bin/ps
>
> #!/bin/sh
> /bin/.psreal $1 | grep -v "vmware" | grep -v "psreal"
>
> Hide some more processes, im not suggesting to use similar shell
> scripts, but just giving you an idea. You could code it in perl, 
> and compile it using perlcc, or could compile it in a C code, 
> using system();
>
> Regards
> --------
> Muhammad Faisal Rauf Danka
>
> Head of GemSEC / Chief Technology Officer
> Gem Internet Services (Pvt) Ltd.
> web: www.gem.net.pk
> Key Id: 0x784B0202
> Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
> 784B 0202
>
>
> --- "Bruno MAC Castro" <bcastro () dei uc pt> wrote:
>  
>
> > Thanks Bill,
> >
> > I agree with you in everything... But, it would improve the concept of a
> > Honeypot if the trace of a virtual machine (VMWare) was hard (or
> > impossible) to find. My goal is to reach a stage where there is no
> > visible VMWare process in my honeypot. I also know that it is almost
> > impossible to reach it, but we need high goals to keep us working...
> > right?
> > ;-)
> >
> > For a start, I would be happy with a solution (maybe a tool) that hides
> > or "camouflage" the VMWare process from the OS Process List.
> >
> > Any ideas?
> > Regards
> > Bruno
> >
> > -----Original Message-----
> > From: Bill McCarty [mailto:bmccarty () apu edu] 
> > Sent: segunda-feira, 4 de Novembro de 2002 16:32
> > To: bcastro () dei uc pt; honeypots () securityfocus com
> > Subject: Re: Building an Honeypot using VMWare
> >
> > Hi Bruno and all,
> >
> > --On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro 
> > <bcastro () dei uc pt> wrote:
> >
> >    
> >
> > > 4. It would be important to hide the VMWare process on the Guest. I
> > >      
> > need
> >    
> >
> > > a tool (or a solution) to cover or hide the VMWare process in both
> > > systems. Ideas?
> > >      
> > There are several other ways for an attacker to determine that the 
> > compromised host is a virtual host. For example, a virtual machine's 
> > virtual network adapters have distinctive MAC addresses. Similarly, the 
> > BIOS string and information from emulated PCI probes can give away the
> > game.
> >
> > On the other hand, worms and script kiddies won't care much -- or
> > possibly 
> > even notice -- that they've compromised a virtual machine. Yes, askilled
> >
> > blackhat might notice and care. But, concealing the virtual nature of a 
> > honeypot from that species is probably beyond the state of the art -- 
> > possibly a good topic for a master's thesis in itself <grin>.
> >
> >    
>
> _____________________________________________________________
> ---------------------------
> [ATTITUDEX.COM]
> http://www.attitudex.com/
> ---------------------------
>
> _____________________________________________________________
> Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! 
> http://www.everyone.net/selectmail?campaign=tag
>
>  

--
The secret to success is to start from scratch and keep on scratching.