Stealth VM
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
Stealth VM
by Stuart Gilchrist-Thomas
::
Rate this Message:
Hi,
Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc. I've also created a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;) Many thanks. --- Sent whilst mobile. -original message- Subject: Re: Honeypot VMs From: pinowudi <pinowudi@...> Date: 06/10/2008 00:13 HPC http://www.honeyclient.org/trac Jason Lewis wrote: > Are there any honeypot VM resources? I've seen the SPARSA one, but the > link is dead. > > jas > |
|
|
Re: Stealth VM
by Michael Bailey-2
::
Rate this Message:
We discussed the extent of and several techniques for honeypot
fingerprinting in our paper "Towards an Understanding of Anti- virtualization and Anti-debugging Behavior in Modern Malware" (http://www.eecs.umich.edu/~mibailey/publications/dsn08_final.pdf ). Techniques for avoiding this fingerprinting, however, are left as an exercise for the reader ;) -* michael On Oct 6, 2008, at 3:20 AM, Stuart Gilchrist-Thomas wrote: > Hi, > > Does anyone have any pointers to evidence or advice on hiding or > reducing the detection of VM honey pots. I know of temporal issues > e.g. Timing metrics can give away a VM, and that you can manually > alter peripheral identities e.g. virtual network cards etc. > I've also created a company to purchase ip and hosting space to > ensure a form of identity in depth. But I still lack experience in > preventing detection. Can you help? Are you my only hope? ;) > > Many thanks. > > --- > Sent whilst mobile. > > -original message- > Subject: Re: Honeypot VMs > From: pinowudi <pinowudi@...> > Date: 06/10/2008 00:13 > > HPC > > http://www.honeyclient.org/trac > > Jason Lewis wrote: >> Are there any honeypot VM resources? I've seen the SPARSA one, but >> the >> link is dead. >> >> jas >> |
|
|
Re: Stealth VM
by Javier Fernandez-Sanguino
::
Rate this Message:
Stuart Gilchrist-Thomas dijo:
> Hi, > > Does anyone have any pointers to evidence or advice on hiding or > reducing the detection of VM honey pots. I know of temporal issues > e.g. Timing metrics can give away a VM, and that you can manually > alter peripheral identities e.g. virtual network cards etc. I've also > created a company to purchase ip and hosting space to ensure a form > of identity in depth. But I still lack experience in preventing > detection. Can you help? Are you my only hope? ;) Why hide the fact that the honeypot is running on VM? After all, many environments in production (@datacenters) are running over VM. Those intruders that think that VM == honeypot will change their mindset soon. Regards Javier |
|
|
RE: Stealth VM
by Bugzilla from mowen@costco.com
::
Rate this Message:
> Stuart Gilchrist-Thomas dijo:
> > Hi, > > > > Does anyone have any pointers to evidence or advice on hiding or > > reducing the detection of VM honey pots. I know of temporal issues > > e.g. Timing metrics can give away a VM, and that you can manually > > alter peripheral identities e.g. virtual network cards etc. > I've also > > created a company to purchase ip and hosting space to ensure a form > > of identity in depth. But I still lack experience in preventing > > detection. Can you help? Are you my only hope? ;) > > Why hide the fact that the honeypot is running on VM? After all, many > environments in production (@datacenters) are running over VM. Those > intruders that think that VM == honeypot will change their > mindset soon. > > Regards > > Javier > As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like a real production VM. Mike |
|
|
|
|
|
Re: Stealth VM
by Stuart Gilchrist-Thomas
::
Rate this Message:
Michael Owen wrote:
>> Stuart Gilchrist-Thomas dijo: >> >>> Hi, >>> >>> Does anyone have any pointers to evidence or advice on hiding or >>> reducing the detection of VM honey pots. I know of temporal issues >>> e.g. Timing metrics can give away a VM, and that you can manually >>> alter peripheral identities e.g. virtual network cards etc. >>> >> I've also >> >>> created a company to purchase ip and hosting space to ensure a form >>> of identity in depth. But I still lack experience in preventing >>> detection. Can you help? Are you my only hope? ;) >>> >> Why hide the fact that the honeypot is running on VM? After all, many >> environments in production (@datacenters) are running over VM. Those >> intruders that think that VM == honeypot will change their >> mindset soon. >> >> Regards >> >> Javier >> >> > > As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like a real production VM. > > Mike > and it's detection of it's environment too. I like your points though, so would VM Workstations and GSX server appear the same from any "leaked" VM signatures? I only have access to a licenced version of VMWare workstation. Cheers, Stu |
|
|
Re: Stealth VM
by Robert Sandilands
::
Rate this Message:
The majority of Wildlist samples will not work in VMWare.
Although I agree with your sentiments that VMWare is becoming very common in the enterprise, that is in general not the target for the majority of malware out there: Home users are still the easiest target. Robert Earl wrote: > Had a conversation about this at lunch today where I informed > someone that the joke about "Security by the obscurity of running > in a VM" days are likely either already over or about to be over. > > Anyone have any stats or even an educated guess about whether or > not bad guys still care if they are in a virtualized env before > they take a box? > > Earl > > On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino > <jfernandez@...> wrote: > >> Stuart Gilchrist-Thomas dijo: >> >>> Hi, >>> >>> Does anyone have any pointers to evidence or advice on hiding or >>> reducing the detection of VM honey pots. I know of temporal >>> >> issues >> >>> e.g. Timing metrics can give away a VM, and that you can >>> >> manually >> >>> alter peripheral identities e.g. virtual network cards etc. I've >>> >> also >> >>> created a company to purchase ip and hosting space to ensure a >>> >> form >> >>> of identity in depth. But I still lack experience in preventing >>> detection. Can you help? Are you my only hope? ;) >>> >> Why hide the fact that the honeypot is running on VM? After all, >> many >> environments in production (@datacenters) are running over VM. >> Those >> intruders that think that VM == honeypot will change their mindset >> soon. >> >> Regards >> >> Javier >> -- --------------------------------------------------------------------- Robert Sandilands: Director, AV Disclaimer: http://robert.rsa3.com/disclaimer.html Authentium: Home of Command Software www.authentium.com |
|
|
Re: Stealth VM
by Thorsten Holz-2
::
Rate this Message:
On Fri, Nov 7, 2008 at 3:53 PM, Robert Sandilands
<rsandilands@...> wrote: > The majority of Wildlist samples will not work in VMWare. Robert, do you have some concrete numbers for that claim? In our test, we observed that less than 10% of the samples did not run within VMware (tested about half a year ago). This test was based on the samples we receive at cwsandbox.org, so it may be a bit biased. But if I take a look at the Wildlist (where I doubt that it provides a realistic overview of current threats), I see lots of online gaming stealers, IRC bots, and similar malware that commonly does not include checks for VMware. Thus some more evidence for your claim would be nice. Cheers, Thorsten |
|
|
Re: Stealth VM
by Robert Sandilands
::
Rate this Message:
Hi Thorsten,
If you can provide a better unbiased view of current threats I would love for you to tell the world about it. Whatever the limitations of the Wildlist may be, it is the best unbiased view we have on the threats out there. It is easy to criticize something and I think the Wildlist has become a popular project to criticize, but I have yet to hear of any viable alternatives. I never measured formal statistics on the number of samples that worked in VMware and those that did not. At some stage it just turned out to be more efficient not to even try replicating it on VMware and we stopped doing it. How confident are you that the samples you receive are matches for the actual Wildlist malware? Using detection names generally has very limited value. Robert Thorsten Holz wrote: > On Fri, Nov 7, 2008 at 3:53 PM, Robert Sandilands > <rsandilands@...> wrote: > >> The majority of Wildlist samples will not work in VMWare. >> > > Robert, do you have some concrete numbers for that claim? In our test, > we observed that less than 10% of the samples did not run within > VMware (tested about half a year ago). This test was based on the > samples we receive at cwsandbox.org, so it may be a bit biased. But if > I take a look at the Wildlist (where I doubt that it provides a > realistic overview of current threats), I see lots of online gaming > stealers, IRC bots, and similar malware that commonly does not include > checks for VMware. Thus some more evidence for your claim would be > nice. > > Cheers, > Thorsten > -- --------------------------------------------------------------------- Robert Sandilands: Director, AV Disclaimer: http://robert.rsa3.com/disclaimer.html Authentium: Home of Command Software www.authentium.com |
|
|
Re: Stealth VM
by Thorsten Holz-2
::
Rate this Message:
Hi Robert,
On Mon, Nov 10, 2008 at 4:33 PM, Robert Sandilands <rsandilands@...> wrote: > If you can provide a better unbiased view of current threats I would > love for you to tell the world about it. Whatever the limitations of the > Wildlist may be, it is the best unbiased view we have on the threats out > there. It is easy to criticize something and I think the Wildlist has > become a popular project to criticize, but I have yet to hear of any > viable alternatives. I did not criticize the Wildlist, I just pointed out that the malware samples that are currently on the Wildlist (lots of online gaming stealers and IRC bots) commonly do not contain VM detection mechanisms in my experience. Thus I don't believe your claim that "The majority of Wildlist samples will not work in VMWare." Cheers, Thorsten |
|
|
Re: Stealth VM
by Dante Signal31
::
Rate this Message:
2008/10/6 Stuart Gilchrist-Thomas <stuartpaulthomas@...>:
> Hi, > > Does anyone have any pointers to evidence or advice on hiding or reducing the detection of VM honey pots. I know of temporal issues e.g. Timing metrics can give away a VM, and that you can manually alter peripheral identities e.g. virtual network cards etc. > I've also created a company to purchase ip and hosting space to ensure a form of identity in depth. But I still lack experience in preventing detection. Can you help? Are you my only hope? ;) > > Many thanks. > > --- > Sent whilst mobile. > > -original message- > Subject: Re: Honeypot VMs > From: pinowudi <pinowudi@...> > Date: 06/10/2008 00:13 > > HPC > > http://www.honeyclient.org/trac > > Jason Lewis wrote: >> Are there any honeypot VM resources? I've seen the SPARSA one, but the >> link is dead. >> >> jas >> > > Hi Stuart, last year I wrote on my blog an article about VM detection. It's in spanish... but shell commands are an universal language ;-) http://danteslab.blogspot.com/2008/03/deteccin-de-mquinas-virtuales.html I hope you like it. Regards, -- Dante (http://danteslab.blogspot.com/) |
| Free embeddable forum powered by Nabble | Forum Help |
