Honeypots mailing list archives

RE: (pacsec bonus) Re: VMWare Detection?

From: Croad Christopher D Contr AFRL/IFOSS <Christopher.Croad () rl af mil>
Date: Fri, 19 Nov 2004 14:19:37 -0000

 A little off the honeypot topic, but wouldn't the bigger problem with
VMWare detection be to those of us doing Malware analysis?  I almost
exclusively use a laptop system with multiple VMWare Guests running to
analyze a suspect piece of Malware.  I have found some workarounds to VMWare
detections (i.e the code looks for VMWare tools, so delete it...it looks for
Mac Addresses, so change them), but I don't know how to address the
detection given in this thread.  

Is my nice, compact, portable (not to mention powerhouse) analysis
laptop/lab about to be replaced by desks full of actual computers to do
analysis? Ugh!

Chris

-----Original Message-----
From: Lance Spitzner [mailto:lance () honeynet org] 
Sent: Thursday, November 18, 2004 10:36 PM
To: Kurt Seifried
Cc: honeypots () securityfocus com
Subject: Re: (pacsec bonus) Re: VMWare Detection?

Lots of great discussions and tools demonstrated on detecting the use of
VMware.  Some pondering, if I may.

- In reference to honeypots, is the detection of VMware a bad thing?  
Okay, the attacker gains access and identifies the system is using VMware.
Lots of legitimate organizations use VMware, the economics of virtualization
can be a big motivator.  In fact, this will potentially grow.  So, I would
contend that the detection of VMware does not automatically mean honeypot.

- If an attacker does detect VMware, and assume its a honeypot and leaves
the system, does this mean that VMware is  potentially more secure for
production systems?

- If attackers or automated threats do begin running automated detection
mechanisms for VMware, would it not then be possible to put those very same
signatures into legitimate systems, so threats now avoid them?

I'm not attempting to downplay the detection issue, but just some random
thoughts.

lance

On Nov 16, 2004, at 16:35, Kurt Seifried wrote:

Computer BIOS
One way to identify VMware systems is by their BIOS, there are a 
number of free windows utilities that can query the BIOS for 
information and even extract a copy of the BIOS from the VMware 
system. The good news is that from within Windows NT/2000 you cannot 
easily access the BIOS and send commands as direct access to the 
hardware is blocked. You can however easily query the BIOS for 
information from within the guest operating system you will be given 
the following information:

Current thread:

RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
  - RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)