Honeypots: RE: Stealth VM

["Michael Owen" <mowen () costco com>]

> Stuart Gilchrist-Thomas dijo:
> > Hi,
> >
> > Does anyone have any pointers to evidence or advice on hiding or
> > reducing the detection of VM honey pots. I know of temporal issues
> > e.g. Timing metrics can give away a VM, and that you can manually
> > alter peripheral identities e.g. virtual network cards etc. 
> I've also
> > created a company to purchase ip and hosting space to ensure a form
> > of identity in depth. But I still lack experience in preventing
> > detection. Can you help? Are you my only hope? ;)
> Why hide the fact that the honeypot is running on VM? After all, many
> environments in production (@datacenters) are running over VM. Those
> intruders that think that VM == honeypot will change their 
> mindset soon.
>
> Regards
>
> Javier
As Javier says, I'd go the complete other direction. If you're running VMware, install the VMware Tools (as they would 
be on a normal guest). Don't rename the PCI devices, as you'd be unlikely to ever do that in a real production 
environment. Assume that there is no way to hide the fact that is in a VM, and make it look like a real VM. Many VMs 
tend to be specialized in what service they provide, so make sure that your Honey VMs are doing that. You wouldn't have 
a normal production machine serving up http, smtp and smb, so don't make your Honey VM do that. Make it look just like 
a real production VM. 

Mike