Honeypots: Re: Stealth VM

["Earl" <esammons () hush com>]

Had a conversation about this at lunch today where I informed 
someone that the joke about "Security by the obscurity of running 
in a VM" days are likely either already over or about to be over.

Anyone have any stats or even an educated guess about whether or 
not bad guys still care if they are in a virtualized env before 
they take a box?

Earl

On Thu, 06 Nov 2008 07:19:07 -0500 Javier Fernandez-Sanguino 
<jfernandez () germinus com> wrote:
> Stuart Gilchrist-Thomas dijo:
> > Hi,
> >
> > Does anyone have any pointers to evidence or advice on hiding or
> > reducing the detection of VM honey pots. I know of temporal 
> issues
> > e.g. Timing metrics can give away a VM, and that you can 
> manually
> > alter peripheral identities e.g. virtual network cards etc. I've 
> also
> > created a company to purchase ip and hosting space to ensure a 
> form
> > of identity in depth. But I still lack experience in preventing
> > detection. Can you help? Are you my only hope? ;)
> Why hide the fact that the honeypot is running on VM? After all, 
> many
> environments in production (@datacenters) are running over VM. 
> Those
> intruders that think that VM == honeypot will change their mindset 
> soon.
>
> Regards
>
> Javier