Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: Mike Tremoulet <coffeemike () gmail com>
Date: Fri, 19 Nov 2004 00:17:38 -0600
On Thu, 18 Nov 2004 21:36:04 -0600, Lance Spitzner <lance () honeynet org> wrote:
Lots of great discussions and tools demonstrated on detecting the use of VMware. Some pondering, if I may. - In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot.
I agree with the contention, but can we also separate the versions of VMWare? (Say, the desktop from the server editions of the product?) I'm more likely to believe a company running their web server farm on the server edition, not the desktop edition, of VMWare.
- If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems?
If your assumption is true, then this holds. That's a big if. My concern with VMware (or UML, or coLinux, or qemu, or Virtual PC, or any other virtualization technology) is that it is ultimately a program written by people. Like any other software, that program will have flaws. So I could as easily (in my opinion) see an attacker detecting VMware and launching a different set of attacks aimed at controlling the physical host. This may be an acceptable risk on a honeypot, but to rely on this for a production system makes me uneasy.
- If attackers or automated threats do begin running automated detection mechanisms for VMware, would it not then be possible to put those very same signatures into legitimate systems, so threats now avoid them?
See above. You may avoid threats, but may invite a different set of threats. Admittedly might not be valid without the virtualization software running, but still - you rely on the strength of your decoy instead of more solid prevention/countermeasures. -- Mike -- just a Gnome of Zurich ... feeding tiny bits of information from all over...
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)