Name: Anonymous 2009-10-17 16:08
I can't find anything via google that mentions how honeypot whores typically get around the ability to detect virtualization (there are a few methods, but they are all pretty hacky... like changing vmware device strings and patches that no longer work to turn off the ability for guests to molest the hypervisor). Long story short, it seems like a better idea to go with a physical box (especially since I am interested primarily in botnet clients, pulled off 4chan, etc.). Sure, you can't have multiple anus haxxings going on in parallel if you are using hardware directly, but at least the malware won't magically die as soon as it starts.
How would you automate getting back to an uninfected disk image? I am considering network boot, or a fake USB device (I am not sure if that's possible... have nother box emulate a USB drive). I'm sure something more inventive involving LISP can be concocted here.
How would you automate getting back to an uninfected disk image? I am considering network boot, or a fake USB device (I am not sure if that's possible... have nother box emulate a USB drive). I'm sure something more inventive involving LISP can be concocted here.