OnHacks
Who is intruding my system ?" In the previous article, I told you how to use Nmap to easily detect a honeypot. How to do it is interesting, but what is more interesting is that we should learn the principles behind it to truly grow. So,
Why can I detect a honeypot?
First, ask yourself:
How can we distinguish people from computers?
CAPTCHA answers the following question: Let the target recognize some text. If you can recognize it, it's probably a person, or it's a computer. The concept is that the computer cannot effectively recognize the text in the graph.
A little, we want our goal to do something that humans can do easily, but computers cannot. If this point is used, it will be a human race, otherwise it will not.
CAPTCHA can be used to distinguish between computers and humans. So how can we identify real services and simulation services?
Similarly, at the technical level, the simulated service and the real service are different. The difference is the key to distinguish the two. With this, we can identify the two.
Here is an example. Some people like to ask:
How can I analyze a piece of malicious code that is not running on a virtual machine? I cannot use VMware. Should I use a physical machine?
Wait! But it will run in VirtualBox! Eh?
Find an SdBot. Most of them have the ability to detect virtual machines so that they do not run in virtual machines. Try it in VMware. It's VMware. Then, use VirtualBox to try again. However, I have tested it. If you believe in my results, you can save time to read it.
So they asked the wrong question! Question:
Why does SdBot distinguish virtual machines from physical machines?
It can be achieved because, at the technical level, virtual machines and physical machines are different. This is exactly the same as real services and virtual services. When I talk about the technical differences, that is, the implementation methods are different.
To be accurate, SdBot can run in VirtualBox but not in VMware, which means SdBot can detect VMware, but not all virtual machines.
Let's see:
In the same action, VMware may use registers (register) but not physical machines.
VMware has a dhcpd to assign IP addresses to virtual machines, which are mostly unavailable to physical machines.
Some processor commands are not supported by VMware.
The same principle as previously described.
Therefore, the so-called malicious code that does not run on a virtual machine is not running on a certain virtual machine. Other virtual machines (VirtualBox, Xen, etc) that cannot be detected will run. Of course, the detection method may be able to detect multiple virtual machines at a time.
In summary, if you want to run SdBot on a virtual machine, you don't need to use a physical machine. You just need to find an environment that is not checked out or disable its detection method. This is the truth in the hacker, and how to detect other honeypot concepts. Try to find a honeypot!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
