Honeypots mailing list archives
Re: Building an Honeypot using VMWare
From: Alberto Gonzalez <albertg () cerebro violating us>
Date: Mon, 04 Nov 2002 23:55:25 -0800
(dev@cervello)(~) dmesg |grep VMware hdc: VMware Virtual IDE CDROM Drive, ATAPI CD/DVD-ROM drive Vendor: VMware, Model: VMware Virtual S Rev: 1.0Now most attackers that break into a honeypot, the first thing she does is install a rootkit. Rootkits check for other rootkits if non found, install theirs. Your /bin/ps would be useless at this point since it will install a trojaned binary. Now as to the hiding process, if you dont install vmware-tools there wont be any vmware processes running. As to removing any
presence of Vmware, I would LOVE to hear how.. just my 2cents - Albert Muhammad Faisal Rauf Danka wrote:
Have you tried using trojanned binary of ps ? Hide vmware process the way intruders hide their psybnc processes. or say: cat /bin/ps #!/bin/sh /bin/.psreal $1 | grep -v "vmware" | grep -v "psreal" Hide some more processes, im not suggesting to use similar shellscripts, but just giving you an idea. You could code it in perl, and compile it using perlcc, or could compile it in a C code, using system();Regards -------- Muhammad Faisal Rauf Danka Head of GemSEC / Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Key Id: 0x784B0202Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 784B 0202--- "Bruno MAC Castro" <bcastro () dei uc pt> wrote:Thanks Bill, I agree with you in everything... But, it would improve the concept of a Honeypot if the trace of a virtual machine (VMWare) was hard (or impossible) to find. My goal is to reach a stage where there is no visible VMWare process in my honeypot. I also know that it is almost impossible to reach it, but we need high goals to keep us working... right? ;-) For a start, I would be happy with a solution (maybe a tool) that hides or "camouflage" the VMWare process from the OS Process List. Any ideas? Regards Bruno -----Original Message-----From: Bill McCarty [mailto:bmccarty () apu edu] Sent: segunda-feira, 4 de Novembro de 2002 16:32To: bcastro () dei uc pt; honeypots () securityfocus com Subject: Re: Building an Honeypot using VMWare Hi Bruno and all,--On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro <bcastro () dei uc pt> wrote:4. It would be important to hide the VMWare process on the Guest. IneedThere are several other ways for an attacker to determine that the compromised host is a virtual host. For example, a virtual machine's virtual network adapters have distinctive MAC addresses. Similarly, the BIOS string and information from emulated PCI probes can give away thea tool (or a solution) to cover or hide the VMWare process in both systems. Ideas?game. On the other hand, worms and script kiddies won't care much -- orpossibly even notice -- that they've compromised a virtual machine. Yes, askilledblackhat might notice and care. But, concealing the virtual nature of a honeypot from that species is probably beyond the state of the art -- possibly a good topic for a master's thesis in itself <grin>._____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Select your own custom email address for FREE! Get you () yourchoice com w/No Ads, 6MB, POP & more! http://www.everyone.net/selectmail?campaign=tag
-- The secret to success is to start from scratch and keep on scratching.
Current thread:
- Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- RE: Building an Honeypot using VMWare Edward Balas (Nov 04)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Michael (Nov 13)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 04)
- Re: Building an Honeypot using VMWare Bill McCarty (Nov 04)
- Re: Building an Honeypot using VMWare Floydman (Nov 04)
- <Possible follow-ups>
- RE: Building an Honeypot using VMWare Muhammad Faisal Rauf Danka (Nov 04)
- Re: Building an Honeypot using VMWare Alberto Gonzalez (Nov 05)
- RE: Building an Honeypot using VMWare Bruno MAC Castro (Nov 05)
- Re: Building an Honeypot using VMWare Ali Saifullah Khan (Nov 12)
- RE: Building an Honeypot using VMWare Dennis Rand (Nov 05)