Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: (pacsec bonus) Re: VMWare Detection?
.

  • To: Lance Spitzner <[EMAIL PROTECTED]>
  • Subject: Re: (pacsec bonus) Re: VMWare Detection?
  • From: Stef <[EMAIL PROTECTED]>
  • Date: Thu, 18 Nov 2004 22:15:44 -0600
  • Cc: Kurt Seifried <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=eyBa0T0Y59Ukv5a7mPD1SIvByye7DA1ZDeWRZ0PCBafme9IzmQt4uD7UeOAkWWLe+H2WNvMnlkOna+BF3e1mb7KmxbwYyqz0CWWOGA9Wo4Xv0573msnw5wxd1wr7dKWoyA5pp2tnmBFimPjPK/0nJy+Pcc1nUiOKRv9jK+CpL4U=
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
  • Reply-to: Stef <[EMAIL PROTECTED]>
.
 
Comments in-line

On Thu, 18 Nov 2004 21:36:04 -0600, Lance Spitzner <[EMAIL PROTECTED]> wrote:
> Lots of great discussions and tools demonstrated on detecting the use
> of VMware.  Some pondering, if I may.
> 
> - In reference to honeypots, is the detection of VMware a bad thing?
> Okay, the attacker gains access and identifies the system is using
> VMware.  Lots of legitimate organizations use VMware, the economics of
> virtualization can be a big motivator.  In fact, this will potentially
> grow.  So, I would contend that the detection of VMware does not
> automatically mean honeypot.

Perfectly true! In fact none of our VMWare [production!] machines are
honeypots - honeypots are everything BUT virtualized environments of
any sort. By the way - if not willing or - even worse - not paying
attention to changing them - the MAC addresses would betray VMWare,
also ;)
( http://www.giac.org/practical/GCIA/Dana_Webber_GCIA.pdf and
http://tinyurl.com/566lw )

> - If an attacker does detect VMware, and assume its a honeypot and
> leaves the system, does this mean that VMware is  potentially more
> secure for production systems?
> 

If that would be true, then I would really move all my servers to VMWare ...

> - If attackers or automated threats do begin running automated
> detection mechanisms for VMware, would it not then be possible to put
> those very same signatures into legitimate systems, so threats now
> avoid them?
> 

Yes!!! ... or at least I hope so (see previous point) ...

> I'm not attempting to downplay the detection issue, but just some
> random thoughts.
> 
> lance

All very good points, Lance, and the more so that people - for
whatever reasons - seem to equate VMWare with HONeypot (VMW = HON :))

Stef

> 
> 
> 
> On Nov 16, 2004, at 16:35, Kurt Seifried wrote:
> 
> > Computer BIOS
> > One way to identify VMware systems is by their BIOS, there are a
> > number of free windows utilities that can query the BIOS for
> > information and even extract a copy of the BIOS from the VMware
> > system. The good news is that from within Windows NT/2000 you cannot
> > easily access the BIOS and send commands as direct access to the
> > hardware is blocked. You can however easily query the BIOS for
> > information from within the guest operating system you will be given
> > the following information:
> 
>
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.