Virtual Machine Detection in Malware

Virtualization, as we know, offers itself to a number of use case scenarios and solutions. One such use case that isn't talked about much is the examination of computer forensics. Honeypots are a common way for security professionals to conduct research on the common practices among computer hackers and attackers. By leveraging a honeypot, researchers and administrators can gain a better understanding of the patterns and behaviors of their attackers. Virtualization can help with creating this honeypot environment.

The problem with using server virtualization to create these honeypot environments is that there are numerous ways for an attacker to identify when a system is running within a virtualized environment. One quick giveaway is looking at the hardware in the system. A virtual device can be a dead giveaway to an attacker. Another way to identify a virtual machine is by looking at its BIOS which is typically quite different than the actual BIOS used on the host server. And of course, if the virtual machine has some sort of virtualization software or tools installed to help optimize performance, the system can be easily identified as a virtual machine. InfoWorld Virtualization Report | InfoWorld | Virtual Machine Detection in Malware | November 26, 2006 01:30 PM | By David Marshall

Linked by shanmuga Monday, 27th November 2006 11:14PM