Honeypots mailing list archives
Re: (pacsec bonus) Re: VMWare Detection?
From: Dave Dittrich <dittrich () u washington edu>
Date: Mon, 22 Nov 2004 12:55:02 -0800 (PST)
- In reference to honeypots, is the detection of VMware a bad thing? Okay, the attacker gains access and identifies the system is using VMware. Lots of legitimate organizations use VMware, the economics of virtualization can be a big motivator. In fact, this will potentially grow. So, I would contend that the detection of VMware does not automatically mean honeypot. - If an attacker does detect VMware, and assume its a honeypot and leaves the system, does this mean that VMware is potentially more secure for production systems?
That is a good point, and for some threats it may increase security. (Note I said "some" and "may.") In this discussion, it is important to not over-generalize. Not all malware works the same, nor do all attackers use the same methods or have the same skill level. The increase in security one might get from using VMWare to avoid some threats may make them more vulnerable in other ways (as some have pointed out in this thread.) This is never a simple matter.
- If attackers or automated threats do begin running automated detection mechanisms for VMware, would it not then be possible to put those very same signatures into legitimate systems, so threats now avoid them?
This isn't theoretical. They aleady have. Agobot (this code from before March of this year) includes code that detects VMWare: . . . /* Check if running inside VMWare */ int IsVMWare() { int version=VMGetVersion(); if(version) return true; else return false; } . . . It also detects single-step debugging, presense of SoftICE and other Windows debuggers, etc. As someone else pointed out, this is more to avoid malware analysis, since many organizations doing malware analysis are very heavily invested in using VM environments to do this. Does this mean you are less vulnerable to Agobot infection if you use VMWare? Maybe. But then what about the other hundreds of trojans that don't yet use VM detection?
The Honeynet project seemed directed towards virtualization and useability but no one seemed interested in the consequences.
Again, it is wise to avoid over-generalization. Not everyone in the Project is directed towards virtualization, and many of us are very aware of the consequences. There are trade-offs, and pluses/minuses, of any deployment. (Don't forget that typically the "easy" way to do something is also the least secure. Not always, but a lot of the time that is true.) I actually *avoid* use of VM environments in much of my honeynet research (outside of development, where it is very useful and doesn't pose any operational risk), specifically to make sure that we *do* have diversity, flexibility, multiple methods of doing things, etc. The more ways there are of overlapping different features and functions, the harder it will be to detect and avoid everything. -- Dave Dittrich Information Assurance Researcher, dittrich () u washington edu The iSchool http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5
Current thread:
- VMWare Detection? Polazzo Justin (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- RE: [in] Re: (pacsec bonus) Re: VMWare Detection? Curt Purdy (Nov 17)
- Re: (pacsec bonus) Re: VMWare Detection? Lance Spitzner (Nov 18)
- Re: (pacsec bonus) Re: VMWare Detection? Stef (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Mike Tremoulet (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? MrDemeanour (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? awalters (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Dave Dittrich (Nov 22)
- Re: (pacsec bonus) Re: VMWare Detection? Kurt Seifried (Nov 16)
- (pacsec bonus) Re: VMWare Detection? Laurent OUDOT (Nov 16)