RE: Building an Honeypot using VMWare

["Bruno MAC Castro" <bcastro () dei uc pt>]

Thanks Muhammad,

Great idea for a Unix (or Linux) system... but I am using 2 (guest and
host) Windows systems. I am already researching for a way to do it in a
Win system... but it is not easy.

Thanks anyway,
Regards
Bruno

______________________________________
Bruno Miguel Abrantes de Campos e Castro
Mail To:
bcastro () portugalmail pt
bcastro () dei uc pt
______________________________________

-----Original Message-----
From: Muhammad Faisal Rauf Danka [mailto:mfrd () attitudex com] 
Sent: segunda-feira, 4 de Novembro de 2002 20:39
To: honeypots () securityfocus com
Subject: RE: Building an Honeypot using VMWare

Have you tried using trojanned binary of ps ?
Hide vmware process the way intruders hide their psybnc processes.

or say:

cat /bin/ps

#!/bin/sh
/bin/.psreal $1 | grep -v "vmware" | grep -v "psreal"

Hide some more processes, im not suggesting to use similar shell
scripts, but just giving you an idea. You could code it in perl, 
and compile it using perlcc, or could compile it in a C code, 
using system();

Regards
--------
Muhammad Faisal Rauf Danka

Head of GemSEC / Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
Key Id: 0x784B0202
Key Fingerprint: 6F8C EDCF 6C6E 06A5 48D7 6A20 C592 484B 
784B 0202


--- "Bruno MAC Castro" <bcastro () dei uc pt> wrote:
> Thanks Bill,
>
> I agree with you in everything... But, it would improve the concept of
a
> Honeypot if the trace of a virtual machine (VMWare) was hard (or
> impossible) to find. My goal is to reach a stage where there is no
> visible VMWare process in my honeypot. I also know that it is almost
> impossible to reach it, but we need high goals to keep us working...
> right?
> ;-)
>
> For a start, I would be happy with a solution (maybe a tool) that hides
> or "camouflage" the VMWare process from the OS Process List.
>
> Any ideas?
> Regards
> Bruno
>
> -----Original Message-----
> From: Bill McCarty [mailto:bmccarty () apu edu] 
> Sent: segunda-feira, 4 de Novembro de 2002 16:32
> To: bcastro () dei uc pt; honeypots () securityfocus com
> Subject: Re: Building an Honeypot using VMWare
>
> Hi Bruno and all,
>
> --On Monday, November 04, 2002 3:58 PM +0000 Bruno MAC Castro 
> <bcastro () dei uc pt> wrote:
>
> > 4. It would be important to hide the VMWare process on the Guest. I
> need
> > a tool (or a solution) to cover or hide the VMWare process in both
> > systems. Ideas?
>
> There are several other ways for an attacker to determine that the 
> compromised host is a virtual host. For example, a virtual machine's 
> virtual network adapters have distinctive MAC addresses. Similarly, the

> BIOS string and information from emulated PCI probes can give away the
> game.
>
> On the other hand, worms and script kiddies won't care much -- or
> possibly 
> even notice -- that they've compromised a virtual machine. Yes,
askilled
> blackhat might notice and care. But, concealing the virtual nature of a

> honeypot from that species is probably beyond the state of the art -- 
> possibly a good topic for a master's thesis in itself <grin>.

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com
w/No Ads, 6MB, POP & more!
http://www.everyone.net/selectmail?campaign=tag