Honeypots mailing list archives
RE: (pacsec bonus) Re: VMWare Detection?
From: "M. Shirk" <shirkdog_linux () hotmail com>
Date: Fri, 19 Nov 2004 12:25:53 -0500
It would be upsetting if the next ScanOfTheMonth had a binary with this capability. No one could get the malware to execute because it would shutdown after detecting the VMWare environment. :-)
Shirkdog http://www.shirkdog.us -----Original Message----- From: Christopher.Croad () rl af mil [mailto:Christopher.Croad () rl af mil] Sent: Friday, November 19, 2004 9:20 AM To: honeypots () securityfocus com Subject: RE: (pacsec bonus) Re: VMWare Detection? Importance: Low A little off the honeypot topic, but wouldn't the bigger problem with VMWare detection be to those of us doing Malware analysis? I almost exclusively use a laptop system with multiple VMWare Guests running to analyze a suspect piece of Malware. I have found some workarounds to VMWare detections (i.e the code looks for VMWare tools, so delete it...it looks for Mac Addresses, so change them), but I don't know how to address the detection given in this thread. Is my nice, compact, portable (not to mention powerhouse) analysis laptop/lab about to be replaced by desks full of actual computers to do analysis? Ugh! Chris
Current thread:
- RE: (pacsec bonus) Re: VMWare Detection? Croad Christopher D Contr AFRL/IFOSS (Nov 19)
- Re: (pacsec bonus) Re: VMWare Detection? Gerry Eisenhaur (Nov 19)
- <Possible follow-ups>
- RE: (pacsec bonus) Re: VMWare Detection? M. Shirk (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Hrvoje Spoljar (Nov 19)
- RE: (pacsec bonus) Re: VMWare Detection? Glenn_Everhart (Nov 22)