Honeypots: Re: Stealth VM

[Michael Bailey <mibailey () eecs umich edu>]

We discussed the extent of and several techniques for honeypot  
fingerprinting in our paper "Towards an Understanding of Anti- 
virtualization and Anti-debugging Behavior in Modern Malware"  (http://www.eecs.umich.edu/~mibailey/publications/dsn08_final.pdf 
). Techniques for avoiding this fingerprinting, however, are left as  
an exercise for  the reader ;)
-* michael

On Oct 6, 2008, at 3:20 AM, Stuart Gilchrist-Thomas wrote:

> Hi,
>
> Does anyone have any pointers to evidence or advice on hiding or  
> reducing the detection of VM honey pots. I know of temporal issues  
> e.g. Timing metrics can give away a VM, and that you can manually  
> alter peripheral identities e.g. virtual network cards etc.
> I've also created a company to purchase ip and hosting space to  
> ensure a form of identity in depth. But I still lack experience in  
> preventing detection. Can you help? Are you my only hope? ;)
> Many thanks.
>
> ---
> Sent whilst mobile.
>
> -original message-
> Subject: Re: Honeypot VMs
> From: pinowudi <pinowudi () gmail com>
> Date: 06/10/2008 00:13
>
> HPC
>
> http://www.honeyclient.org/trac
>
> Jason Lewis wrote:
> > Are there any honeypot VM resources?  I've seen the SPARSA one, but  
> > the
> > link is dead.
> >
> > jas