Re: (pacsec bonus) Re: VMWare Detection?

[Dave Dittrich <dittrich () u washington edu>]

> - In reference to honeypots, is the detection of VMware a bad thing?
> Okay, the attacker gains access and identifies the system is using
> VMware.  Lots of legitimate organizations use VMware, the economics of
> virtualization can be a big motivator.  In fact, this will potentially
> grow.  So, I would contend that the detection of VMware does not
> automatically mean honeypot.
>
> - If an attacker does detect VMware, and assume its a honeypot and
> leaves the system, does this mean that VMware is  potentially more
> secure for production systems?

That is a good point, and for some threats it may increase security.
(Note I said "some" and "may.") In this discussion, it is important to
not over-generalize.  Not all malware works the same, nor do all
attackers use the same methods or have the same skill level.  The
increase in security one might get from using VMWare to avoid some
threats may make them more vulnerable in other ways (as some have
pointed out in this thread.)  This is never a simple matter.

> - If attackers or automated threats do begin running automated
> detection mechanisms for VMware, would it not then be possible to
> put those very same signatures into legitimate systems, so threats
> now avoid them?

This isn't theoretical.  They aleady have.  Agobot (this code from
before March of this year) includes code that detects VMWare:

 . . .
/*
        Check if running inside VMWare
*/

int IsVMWare() {
        int version=VMGetVersion();
        if(version) return true; else return false; }
 . . .

It also detects single-step debugging, presense of SoftICE and other
Windows debuggers, etc.  As someone else pointed out, this is more
to avoid malware analysis, since many organizations doing malware
analysis are very heavily invested in using VM environments to do
this.  Does this mean you are less vulnerable to Agobot infection if
you use VMWare?  Maybe.  But then what about the other hundreds of
trojans that don't yet use VM detection?

> The Honeynet project seemed directed towards virtualization and
> useability but no one seemed interested in the consequences.

Again, it is wise to avoid over-generalization.  Not everyone in the
Project is directed towards virtualization, and many of us are very
aware of the consequences.

There are trade-offs, and pluses/minuses, of any deployment.  (Don't
forget that typically the "easy" way to do something is also the least
secure. Not always, but a lot of the time that is true.)  I actually
*avoid* use of VM environments in much of my honeynet research
(outside of development, where it is very useful and doesn't pose any
operational risk), specifically to make sure that we *do* have
diversity, flexibility, multiple methods of doing things, etc.  The
more ways there are of overlapping different features and functions,
the harder it will be to detect and avoid everything.

--
Dave Dittrich                           Information Assurance Researcher,
dittrich () u washington edu               The iSchool
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE97 0C57 0843 F3EB 49A1  0CD0 8E0C D0BE C838 CCB5