Honeypots mailing list archives
Re: Stealth VM
From: "Earl" <esammons () hush com>
Date: Thu, 06 Nov 2008 20:38:01 -0500
Had a conversation about this at lunch today where I informed someone that the joke about "Security by the obscurity of running in a VM" days are likely either already over or about to be over. Anyone have any stats or even an educated guess about whether or not bad guys still care if they are in a virtualized env before they take a box? Earl On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino <jfernandez () germinus com> wrote:
Stuart Gilchrist-Thomas dijo:Hi, Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporalissuese.g. Timing metrics can give away a VM, and that you canmanuallyalter peripheral identities e.g. virtual network cards etc. I'vealsocreated a company to purchase ip and hosting space to ensure aformof identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;)Why hide the fact that the honeypot is running on VM? After all, many environments in production (@datacenters) are running over VM. Those intruders that think that VM == honeypot will change their mindset soon. Regards Javier
Current thread:
- Stealth VM Stuart Gilchrist-Thomas (Oct 06)
- Re: Stealth VM Michael Bailey (Oct 06)
- Re: Stealth VM Javier Fernandez-Sanguino (Nov 06)
- RE: Stealth VM Michael Owen (Nov 06)
- Re: Stealth VM Stuart Thomas (Nov 07)
- RE: Stealth VM Michael Owen (Nov 06)
- <Possible follow-ups>
- Re: Stealth VM Earl (Nov 07)
- Re: Stealth VM Robert Sandilands (Nov 07)
- Re: Stealth VM Thorsten Holz (Nov 08)
- Re: Stealth VM Robert Sandilands (Nov 10)
- Re: Stealth VM Thorsten Holz (Nov 10)
- Re: Stealth VM Robert Sandilands (Nov 07)