Virtualization, as we know, offers itself to a number of use case scenarios and solutions. One such use case that isn't talked about much is the examination of computer forensics. Honeypots are a common way for security professionals to conduct research on the common practices among computer hackers and attackers. By leveraging a honeypot, researchers and administrators can gain a better understanding of the pat Virtualization, as we know, offers itself to a number of use case scenarios and solutions. One such use case that isn’t talked about much is the examination of computer forensics. Honeypots are a common way for security professionals to conduct research on the common practices among computer hackers and attackers. By leveraging a honeypot, researchers and administrators can gain a better understanding of the patterns and behaviors of their attackers. Virtualization can help with creating this honeypot environment.The problem with using server virtualization to create these honeypot environments is that there are numerous ways for an attacker to identify when a system is running within a virtualized environment. One quick giveaway is looking at the hardware in the system. A virtual device can be a dead giveaway to an attacker. Another way to identify a virtual machine is by looking at its BIOS which is typically quite different than the actual BIOS used on the host server. And of course, if the virtual machine has some sort of virtualization software or tools installed to help optimize performance, the system can be easily identified as a virtual machine.Attackers are becoming more aware of people using virtualization to try and thwart their efforts. As such, they are creating their malware with a self-defensive property to detect if the computer is a virtual machine. According to a recent post on the SANS Institute diary, 3 out of 12 malware specimens recently captured in their honeypot refused to run in VMware. It continues by stating, “There are many ways for malicious code to detect that it’s running in VMware: looking at the presence of VMware-specific processes and hardware characteristics are some of the simpler ones. More reliable techniques rely on assembly-level code that behaves differently on a virtual machine than on a physical host. VMware-detecting features are sometimes built directly into the malicious program, and are sometimes added by a third-party packing utility.” It offers up a number of ways to deal with packed executables that check for the presence of VMware, such as patching the malicious code so that the offending routine never executes. Another option is to modify your VMware instance to make it more difficult for the malicious program to detect that it’s running in a virtual machine. Interestingly, two readers came up with the idea to develop a mechanism for configuring non-virtualized systems to look like virtual machine. By masking itself in this way, it could potentially fool malicious software into thinking that the environment is a virtual honeypot, effectively fooling it into refusing to run and thus helping to immune the system against certain infections. Check out the article on the ISC SANS site, here. Software Development