Honeypots mailing list archives

Re: (pacsec bonus) Re: VMWare Detection?

From: Stef <stefmit () gmail com>
Date: Thu, 18 Nov 2004 22:15:44 -0600

Comments in-line

On Thu, 18 Nov 2004 21:36:04 -0600, Lance Spitzner <lance () honeynet org> wrote:

Lots of great discussions and tools demonstrated on detecting the use
of VMware.  Some pondering, if I may.

- In reference to honeypots, is the detection of VMware a bad thing?
Okay, the attacker gains access and identifies the system is using
VMware.  Lots of legitimate organizations use VMware, the economics of
virtualization can be a big motivator.  In fact, this will potentially
grow.  So, I would contend that the detection of VMware does not
automatically mean honeypot.


Perfectly true! In fact none of our VMWare [production!] machines are
honeypots - honeypots are everything BUT virtualized environments of
any sort. By the way - if not willing or - even worse - not paying
attention to changing them - the MAC addresses would betray VMWare,
also ;)
( http://www.giac.org/practical/GCIA/Dana_Webber_GCIA.pdf and
http://tinyurl.com/566lw )

- If an attacker does detect VMware, and assume its a honeypot and
leaves the system, does this mean that VMware is  potentially more
secure for production systems?


If that would be true, then I would really move all my servers to VMWare ...

- If attackers or automated threats do begin running automated
detection mechanisms for VMware, would it not then be possible to put
those very same signatures into legitimate systems, so threats now
avoid them?


Yes!!! ... or at least I hope so (see previous point) ...

I'm not attempting to downplay the detection issue, but just some
random thoughts.

lance


All very good points, Lance, and the more so that people - for
whatever reasons - seem to equate VMWare with HONeypot (VMW = HON :))

Stef




On Nov 16, 2004, at 16:35, Kurt Seifried wrote:

Computer BIOS
One way to identify VMware systems is by their BIOS, there are a
number of free windows utilities that can query the BIOS for
information and even extract a copy of the BIOS from the VMware
system. The good news is that from within Windows NT/2000 you cannot
easily access the BIOS and send commands as direct access to the
hardware is blocked. You can however easily query the BIOS for
information from within the guest operating system you will be given
the following information:

Current thread:

VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
  - Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
    - RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
    - Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
    - Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
    - Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
    - Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
    - Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
    - Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)