Avoid VMware VMs fingerprinting

A very widely used practise among IT Security professionals is to work with virtual machines for different purposes: one of this is so called forensic analysis. Forensic analysis often gain advantages by relatively new security tools called honeypots.

Honeypots deployment and use suffers of few basilar problems:

1) to attract network attackers simulating an interesting traffic
2) to deploy many victim-designed machines with different operating systems (physical space, money availability, audit and managment)
3) to analyze compromised victim-designed machines (this is forensic analysis) to discover new attack tools and methods

Virtual machines technologies mitigate these problems very well so it’s not so rare to see large VMs deployments (eventually in so Honeynets) for forensics purposes.

But virtual softwares adoption brings new and different problems.
First of all VMs fingerprinting: an attacker arriving at a virtual machine (in the network segment where is deployed or in the VM itself), before compromising, can eventually discover it and leave without action. For this reason virtualization community is trying to modify in some ways virtualization softwares and disguise VMs.

A last hour solution is posted by Kostya Kortchinsky, a French Honeynet Project member, on security mailing list Honeypots hosted by SecurityFocus.com.
Kostya posted a C patch (in attachment to his original post) working with VMware Workstation 4.0.5 for Linux which has many interesting modifications:

– names of the IDE devices (HD & CDROM)
– names of the SCSI devices (HD & CDROM)
– PCI vendor and device ID of the video adapter
– I/O backdoor

Absolutely interesting, but just remember: patching VMware products totally invalidate company support. So if something doesn’t work anymore don’t call VMware guys 🙂

Next VMware Workstation release will support PXE!

One of the most wanted features VMware community asks for (whole virtualization community indeed…) is virtual network cards PXE compliancy.
Petr Vandrovec, a skilled and very active newsgroups supporter, revelead in a post reply on vmware.guest.misc newsgroup that VMware Workstation 4.1 (currently in beta) will fully support PXE for AMD PCnet and proprietary VMXnet virtual NICs.

This greatly enhances VMware possibilities!

m0n0wall improves traffic shaping

m0n0wall (a liveCD FreeBSD based distribution for firewalling and routing purposes) is at today the simplies and cheapest way to have one or more routers in a virtual infrastructure: just download the ISO, prepare a virtual blank (and formatted) floppy for configuration storing, configure it with the neat PHP webGUI, and go on.

One of the most powerful and wanted features m0n0wall provides is traffic shaping: with the new pb24 release you can handle multiple traffic shaping rules (top-down architecture), pipes and queues.
To better undestand queues rules power take a look at relative FAQ.

I tried many linux distro but nothing is comparable with m0n0wall (I just wait for RIP/OSPF support somedays…). Thanks Manuel!

VERITAS to Acquire Application Virtualization Firm

As ASPnews reports:

VERITAS Software on Wednesday moved to acquire application virtualization concern Ejascent for $59 million in cash to bolster its utility computing strategy to better compete with IBM, HP and EMC.

Application virtualization software, such as Ejasent’s core UpScale product, allows IT employees to move an application from one server to another without disrupting or terminating the application. UpScale takes a snapshot of an application, preserves its settings and data and transfers it to a different server in near real time.

Another player is coming? Virtualization gameplay will become crowded soon?

Thanks to Stephane Broquere (Dunes) for reporting me this interesting news

Dunes launches S-Ops 2.0

Dunes Technologies, first company launching management products for virtualization softwares as I remember (please correct me if not so), launched S-Ops 2.0.
Here some interesting new features S-Ops offers:

• Virtual Machines fail-over with shared storage (NAS or SAN): automatically runs a clone of a virtual machine on another computer in case of virtual machine error detection. Both virtual machines share a single disk file.

• Virtual Machines fail-over without shared storage: automatically runs a copy of a virtual machine on another computer in case of virtual machine error detection. Each virtual machine runs from separate copies of a disk file.

• Backup automation: put virtual machines in such mode that it can be backuped (suspend or create redo log), creates a snapshot (if available) and drives the backup software at planned intervals.

• Workload management: automatically reallocates virtual machines on multiple servers according to workload.

• Alarm notification: Threshold values and e-mail/pager notifications can be set and users will be automatically notified.

Release 2.0.1 is available immediately for Windows and Linux hosts and supports VMware ESX Server 2 and Workstation 4, Microsoft Virtual Server (beta version) and Virtual PC (beta version). Try it here.

Monitor VMware ESX Server 2.0.1 with NetIQ AppManager

James E. Price III, a very active VMware newsgroups user, reported an interesting how-to for ESX Server monitoring with NetIQ AppManager Suite:

(Assuming HP/Compaq hardware)

1. Install the HP Management Agents for Linux (reboot required, see 2.0.1
installation notes)

2. Install binutils- using the -Uhv options

3. Create a redhat-release file in /etc containing “Red Hat Linux release
7.2 (Enigma)”

4. Create a custom netiq_silent_install.cfg file with your configuration
information and store in /tmp

5. Install NetIQ_UA-2.0-327.i386.rpm using the -Uhv options

Attention! This configuration isn’t supported or suggested in anyway by VMware. James just tried it and it works.

A third player hit the virtualization scene!

After EMC (which has just acquired VMware) and Microsoft (which acquired Connectix) a new player is trying to take its place: I’m talkin’ about the german NetSys GmbH, which sells a new product developed by russian Parallels Ltd called twoOStwo (with an under costruction official site and an unofficial one).
Actual operating systems supported as guest are OS/2 v3, OS/2 v4, OS/2 v4.5, DOS, Windows 3.11, Windows 95, Windows NT/2000/XP, Linux (kernels 2.2 and 2.4) and FreeBSD while host can be a Windows OS, Linux (still in beta), FreeBSD (not released at all….I’d love to see a virtualization product for FreeBSD…) and for Citrix Metaframe (???).

At today the page about virtualization technology used by twoOStwo is under development but the unofficial site offers other interesting features like a competitors presentation and a comparison testing between twoOStwo, VMware Workstation and two Virtual PC editions (one from Connectix and one from Microsoft). It’s a pity comparison is conducted using OS/2 Warp 4 as guest instead of Microsoft Windows.

Virtualized hardware offered by twoOStwo seems absolutely standard (Vesa 3.0 video card, NE2000/NE2000+ network card) and this is really good for OS and applications compatibility. I’ll study deeper this product next days so stay tuned for news about it.