Honeypots mailing list archives

RE: (pacsec bonus) Re: VMWare Detection?

From: "M. Shirk" <shirkdog_linux () hotmail com>
Date: Fri, 19 Nov 2004 12:25:53 -0500

It would be upsetting if the next ScanOfTheMonth had a binary with thiscapability. No one could get the malware to execute because it wouldshutdown after detecting the VMWare environment. :-)

Shirkdog
http://www.shirkdog.us

-----Original Message-----
From: Christopher.Croad () rl af mil [mailto:Christopher.Croad () rl af mil]
Sent: Friday, November 19, 2004 9:20 AM
To: honeypots () securityfocus com
Subject: RE: (pacsec bonus) Re: VMWare Detection?
Importance: Low

A little off the honeypot topic, but wouldn't the bigger problem with
VMWare detection be to those of us doing Malware analysis?  I almost
exclusively use a laptop system with multiple VMWare Guests running to
analyze a suspect piece of Malware.  I have found some workarounds to VMWare
detections (i.e the code looks for VMWare tools, so delete it...it looks for
Mac Addresses, so change them), but I don't know how to address the
detection given in this thread.

Is my nice, compact, portable (not to mention powerhouse) analysis
laptop/lab about to be replaced by desks full of actual computers to do
analysis? Ugh!

Chris

Current thread:

RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
  - RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)