Honeypots mailing list archives

RE: (pacsec bonus) Re: VMWare Detection?

From: <Glenn_Everhart () bankone com>
Date: Mon, 22 Nov 2004 09:51:03 -0500

While VMware might fail, it is possible some other systems
would still work. Bochs, for example, is a full emulation, does
not rely on hardware modes at all. Thus there is no reason to
suspect it will respond as VMWare does. The downside is that its
speed is less, as it emulates the complete x86, but given the
problem, it is at least an approach.

A long time ago in a galaxy far far away it was suggested for
a similar problem (with a few instructions that were not possible
to virtualize) that the OS code loader might detect these and
insert workarounds. It was an interesting but of course exceedingly
difficult suggestion to implement.

-----Original Message-----
From: M. Shirk [mailto:shirkdog_linux () hotmail com]
Sent: Friday, November 19, 2004 12:26 PM
To: honeypots () securityfocus com
Subject: RE: (pacsec bonus) Re: VMWare Detection?


It would be upsetting if the next ScanOfTheMonth had a binary with this 
capability. No one could get the malware to execute because it would 
shutdown after detecting the VMWare environment. :-)

Shirkdog
http://www.shirkdog.us

-----Original Message-----
From: Christopher.Croad () rl af mil [mailto:Christopher.Croad () rl af mil]
Sent: Friday, November 19, 2004 9:20 AM
To: honeypots () securityfocus com
Subject: RE: (pacsec bonus) Re: VMWare Detection?
Importance: Low


A little off the honeypot topic, but wouldn't the bigger problem with
VMWare detection be to those of us doing Malware analysis?  I almost
exclusively use a laptop system with multiple VMWare Guests running to
analyze a suspect piece of Malware.  I have found some workarounds to VMWare
detections (i.e the code looks for VMWare tools, so delete it...it looks for
Mac Addresses, so change them), but I don't know how to address the
detection given in this thread.

Is my nice, compact, portable (not to mention powerhouse) analysis
laptop/lab about to be replaced by desks full of actual computers to do
analysis? Ugh!

Chris




**********************************************************************
This transmission may contain information that is privileged, confidential and/or exempt from disclosure under 
applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, 
distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If 
you received this transmission in error, please immediately contact the sender and destroy the material in its 
entirety, whether in electronic or hard copy format. Thank you
**********************************************************************

Current thread:

RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
  - RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)