Honeypots
Stealth VM Oct 06 2008 07:20AM
Stuart Gilchrist-Thomas (stuartpaulthomas gmail com) (3 replies)
Re: Stealth VM Apr 06 2009 09:44AM
Dante Signal31 (dante signal31 gmail com)
Re: Stealth VM Nov 06 2008 12:19PM
Javier Fernandez-Sanguino (jfernandez germinus com) (1 replies)
RE: Stealth VM Nov 06 2008 09:54PM
Michael Owen (mowen costco com) (1 replies)
> Stuart Gilchrist-Thomas dijo:

> > Hi,

> >

> > Does anyone have any pointers to evidence or advice on hiding or

> > reducing the detection of VM honey pots. I know of temporal issues

> > e.g. Timing metrics can give away a VM, and that you can manually

> > alter peripheral identities e.g. virtual network cards etc.

> I've also

> > created a company to purchase ip and hosting space to ensure a form

> > of identity in depth. But I still lack experience in preventing

> > detection. Can you help? Are you my only hope? ;)

>

> Why hide the fact that the honeypot is running on VM? After all, many

> environments in production (@datacenters) are running over VM. Those

> intruders that think that VM == honeypot will change their

> mindset soon.

>

> Regards

>

> Javier

>

As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like a real production VM.

Mike

[ reply ]
Re: Stealth VM Nov 07 2008 06:28AM
Stuart Thomas (stuartpaulthomas gmail com)
Re: Stealth VM Oct 06 2008 11:52AM
Michael Bailey (mibailey eecs umich edu)


 

Privacy Statement
Copyright 2010, SecurityFocus