Honeypots
Re: Stealth VM Nov 07 2008 01:38AM
Earl (esammons hush com) (1 replies)
Re: Stealth VM Nov 07 2008 02:53PM
Robert Sandilands (rsandilands authentium com) (1 replies)
The majority of Wildlist samples will not work in VMWare.

Although I agree with your sentiments that VMWare is becoming very
common in the enterprise, that is in general not the target for the
majority of malware out there: Home users are still the easiest target.

Robert

Earl wrote:
> Had a conversation about this at lunch today where I informed
> someone that the joke about "Security by the obscurity of running
> in a VM" days are likely either already over or about to be over.
>
> Anyone have any stats or even an educated guess about whether or
> not bad guys still care if they are in a virtualized env before
> they take a box?
>
> Earl
>
> On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino
> <jfernandez (at) germinus (dot) com [email concealed]> wrote:
>
>> Stuart Gilchrist-Thomas dijo:
>>
>>> Hi,
>>>
>>> Does anyone have any pointers to evidence or advice on hiding or
>>> reducing the detection of VM honey pots. I know of temporal
>>>
>> issues
>>
>>> e.g. Timing metrics can give away a VM, and that you can
>>>
>> manually
>>
>>> alter peripheral identities e.g. virtual network cards etc. I've
>>>
>> also
>>
>>> created a company to purchase ip and hosting space to ensure a
>>>
>> form
>>
>>> of identity in depth. But I still lack experience in preventing
>>> detection. Can you help? Are you my only hope? ;)
>>>
>> Why hide the fact that the honeypot is running on VM? After all,
>> many
>> environments in production (@datacenters) are running over VM.
>> Those
>> intruders that think that VM == honeypot will change their mindset
>> soon.
>>
>> Regards
>>
>> Javier
>>

--
---------------------------------------------------------------------
Robert Sandilands: Director, AV
Disclaimer: http://robert.rsa3.com/disclaimer.html
Authentium: Home of Command Software
www.authentium.com

[ reply ]
Re: Stealth VM Nov 08 2008 07:49AM
Thorsten Holz (thorsten holz gmail com) (1 replies)
Re: Stealth VM Nov 10 2008 03:33PM
Robert Sandilands (rsandilands authentium com) (1 replies)
Re: Stealth VM Nov 10 2008 09:09PM
Thorsten Holz (thorsten holz gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus