Honeypots mailing list archives
RE: Stealth VM
From: "Michael Owen" <mowen () costco com>
Date: Thu, 6 Nov 2008 13:54:03 -0800
Stuart Gilchrist-Thomas dijo:Hi, Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc.I've alsocreated a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)Why hide the fact that the honeypot is running on VM? After all, many environments in production (@datacenters) are running over VM. Those intruders that think that VM == honeypot will change their mindset soon. Regards Javier
As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like a real production VM. Mike
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)