Honeypots mailing list archives
RE: (pacsec bonus) Re: VMWare Detection?
From: Croad Christopher D Contr AFRL/IFOSS <Christopher.Croad () rl af mil>
Date: Fri, 19 Nov 2004 14:19:37 -0000
A little off the honeypot topic, but wouldn't the bigger problem with VMWare detection be to those of us doing Malware analysis? I almost exclusively use a laptop system with multiple VMWare Guests running to analyze a suspect piece of Malware. I have found some workarounds to VMWare detections (i.e the code looks for VMWare tools, so delete it...it looks for Mac Addresses, so change them), but I don't know how to address the detection given in this thread. Is my nice, compact, portable (not to mention powerhouse) analysis laptop/lab about to be replaced by desks full of actual computers to do analysis? Ugh! Chris -----Original Message----- From: Lance Spitzner [mailto:lance () honeynet org] Sent: Thursday, November 18, 2004 10:36 PM To: Kurt Seifried Cc: honeypots () securityfocus com Subject: Re: (pacsec bonus) Re: VMWare Detection? Lots of great discussions and tools demonstrated on detecting the use of VMware. Some pondering, if I may. - In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot. - If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems? - If attackers or automated threats do begin running automated detection mechanisms for VMware, would it not then be possible to put those very same signatures into legitimate systems, so threats now avoid them? I'm not attempting to downplay the detection issue, but just some random thoughts. lance On Nov 16, 2004, at 16:35, Kurt Seifried wrote:
Computer BIOS One way to identify VMware systems is by their BIOS, there are a number of free windows utilities that can query the BIOS for information and even extract a copy of the BIOS from the VMware system. The good news is that from within Windows NT/2000 you cannot easily access the BIOS and send commands as direct access to the hardware is blocked. You can however easily query the BIOS for information from within the guest operating system you will be given the following information:
Current thread:
- RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)