Avoid VMware VMs fingerprinting

A very widely used practise among IT Security professionals is to work with virtual machines for different purposes: one of this is so called forensic analysis. Forensic analysis often gain advantages by relatively new security tools called honeypots.

Honeypots deployment and use suffers of few basilar problems:

1) to attract network attackers simulating an interesting traffic
2) to deploy many victim-designed machines with different operating systems (physical space, money availability, audit and managment)
3) to analyze compromised victim-designed machines (this is forensic analysis) to discover new attack tools and methods

Virtual machines technologies mitigate these problems very well so it’s not so rare to see large VMs deployments (eventually in so Honeynets) for forensics purposes.

But virtual softwares adoption brings new and different problems.
First of all VMs fingerprinting: an attacker arriving at a virtual machine (in the network segment where is deployed or in the VM itself), before compromising, can eventually discover it and leave without action. For this reason virtualization community is trying to modify in some ways virtualization softwares and disguise VMs.

A last hour solution is posted by Kostya Kortchinsky, a French Honeynet Project member, on security mailing list Honeypots hosted by SecurityFocus.com.
Kostya posted a C patch (in attachment to his original post) working with VMware Workstation 4.0.5 for Linux which has many interesting modifications:

– names of the IDE devices (HD & CDROM)
– names of the SCSI devices (HD & CDROM)
– PCI vendor and device ID of the video adapter
– I/O backdoor

Absolutely interesting, but just remember: patching VMware products totally invalidate company support. So if something doesn’t work anymore don’t call VMware guys 🙂