Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: (pacsec bonus) Re: VMWare Detection?
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: (pacsec bonus) Re: VMWare Detection?
  • From: Mike Tremoulet <[EMAIL PROTECTED]>
  • Date: Fri, 19 Nov 2004 00:17:38 -0600
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=a9BI5VYP0sV2uOQGjufasrqJHjHV22QnXTvX5F0j4OZ8vOfgvxsqInJ8q+vRqY9X4RA/WUnogduSHn0Jq1rA8FCk6C8Yz2c0E7I+kzcEpp6k7yh7apDRtcafIxoDWDHVsmQy2PLino4TzNyVq1zqWotjtvw5L7uFuZjM8HPd/Fo=
  • In-reply-to: <[EMAIL PROTECTED]>
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
  • Reply-to: Mike Tremoulet <[EMAIL PROTECTED]>
.
 
On Thu, 18 Nov 2004 21:36:04 -0600, Lance Spitzner <[EMAIL PROTECTED]> wrote:
> Lots of great discussions and tools demonstrated on detecting the use
> of VMware.  Some pondering, if I may.
> 
> - In reference to honeypots, is the detection of VMware a bad thing?
> Okay, the attacker gains access and identifies the system is using
> VMware.  Lots of legitimate organizations use VMware, the economics of
> virtualization can be a big motivator.  In fact, this will potentially
> grow.  So, I would contend that the detection of VMware does not
> automatically mean honeypot.

I agree with the contention, but can we also separate the versions of
VMWare?  (Say, the desktop from the server editions of the product?) 
I'm more likely to believe a company running their web server farm on
the server edition, not the desktop edition, of VMWare.

> - If an attacker does detect VMware, and assume its a honeypot and
> leaves the system, does this mean that VMware is  potentially more
> secure for production systems?
> 

If your assumption is true, then this holds.  That's a big if.  My
concern with VMware (or UML, or coLinux, or qemu, or Virtual PC, or
any other virtualization technology) is that it is ultimately a
program written by people.  Like any other software, that program will
have flaws.  So I could as easily (in my opinion) see an attacker
detecting VMware and launching a different set of attacks aimed at
controlling the physical host.  This may be an acceptable risk on a
honeypot, but to rely on this for a production system makes me uneasy.

> - If attackers or automated threats do begin running automated
> detection mechanisms for VMware, would it not then be possible to put
> those very same signatures into legitimate systems, so threats now
> avoid them?
> 

See above.  You may avoid threats, but may invite a different set of
threats.  Admittedly might not be valid without the virtualization
software running, but still - you rely on the strength of your decoy
instead of more solid prevention/countermeasures.

-- Mike

-- 
just a Gnome of Zurich ... feeding tiny bits of information from all over...
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.