Detecting Honeypots and other Suspicious Environments
Thursday, April 13. 2006
When running a honeypot, the operator should also know the constraints given by currenty honeypot-based techniques. Back in 2004, we showed as part of the NoSEBrEaK project how an attacker can detect, disable and circumvent Sebek, the primary Data Capture tool used by honeynet researchers to capture the attacker's activities on a honeypot. Since then, Sebek has been improved and most of the attacks do not work anymore.
Last year, Frederic Raynal and I published a paper about detection of honeypots and other suspicious environments, e.g., whether a program runs under a debugger. We give examples how to detect the presence of UML, VMWare, Softice, and OllyDbg. For example, Agobot uses the following piece of code to detect software breakpoints:
Last year, Frederic Raynal and I published a paper about detection of honeypots and other suspicious environments, e.g., whether a program runs under a debugger. We give examples how to detect the presence of UML, VMWare, Softice, and OllyDbg. For example, Agobot uses the following piece of code to detect software breakpoints:
mov esi, address ; load function address
mov al, [esi] ; load the opcode
cmp al, 0xCC ; check if the opcode is 0xCC
je BPXed ; yes, there is a breakpoint
; jump to return true
xor eax, eax ; false,
jmp NOBPX ; no breakpoint
BPXed:
mov eax, 1 ; breakpoint found
NOBPX:
Continue reading "Detecting Honeypots and other Suspicious Environments"
".
