I’ve been getting many duplicate questions about FakeNet, so I’ve decided to post this FAQ to address them.
I’m excited for my annual 10-day trip to Las Vegas for these big security conferences. Andy and I have a lot of cool events, including the chance for you to WIN A FREE VIP DINNER, so read on:
1. Mandiant is sponsoring a FREE book signing on Wed & Thurs July 25 & 26 from 1-2PM at Black Hat, this will take place in the Trevi Room, Caesars Palace (adjacent to the exhibit hall, Octavius Ballroom). First come, First served, so get there early because they’ll go fast and we’re limited.
2. WIN A FREE VIP DINNER at Bobby Flay’s Mesa Grill with Andy and I on Wednesday night by being on of the first 5 people in line at the book signing on Wednesday July 25. Get there early, because this is going to be a fun time at a great restaurant. (Note: if you aren’t one of the first 5 you’ll still get a free book until they run out).
3. Andy is releasing FakeNet 1.0 at the Black Hat Tool Arsenal from 11:45am-12:45pm on Wed and Thurs July 25 & 26. Stop by and check out the tool.
4. No Starch Press is holding a Defcon book signing for us on Friday July 27 at 4pm at the Rio. This will be at the No Starch Press booth, so bring your book or buy a discounted one at the NSP booth at the signing.
5. Mandiant is holding their always fun party at the Shadow Bar starting at 7pm on Tuesday 7/24 at the Shadow Bar in Caesar’s Palace. Make sure you register to attend . I’ll be hanging out at this party, so join me for a free drink.
6. I’ll be teaching a sold out 4-day Malware Analysis class at Black Hat on Saturday through Tuesday (7/21-7/24)
We look forward to seeing you in Vegas!
Good news, Buster Sandbox Analyzer (BSA) has just added support for FakeNet. For those of you not familiar, BSA is a tool that can be used to automatically analyze the behavior of processes and the changes made to system and then evaluate if they are malicious. This fully automates all of the basic dynamic analysis you typically perform. Full details and a download of BSA can be found here. BSA works with Sandboxie. Sandboxie is a program that runs programs in an isolated environment to prevent them from making permanent changes to your system. Sandboxie was designed to allow secure web browsing, but its sandbox aspect makes it useful for malware analysis. For example, you can use it to capture filesystem and registry accesses of the program you are sandboxing. Buster Sandbox Analyzer (BSA) interfaces with Sandboxie to provide automated analysis and reporting.
The other day I was looking at some malware that was interesting because it employed a strategy that allowed it to avoid a hard-coded IP address for the callback domain without being susceptible to DNS filtering. The program would first attempt to resolve the malicious domain name using the host’s built in DNS resolution, but if that failed the host would then open a UDP connection on port 53 to a public DNS server and resolve the host directly. Read on for more details.
We’re releasing an update to the FakeNet tool to version 0.91 which can be downloaded here. The following improvements have been made:
- The dummy listener that listens on all ports now automatically detects SSL and if the connection is SSL it will decrypt the content and display it to the user. This is very useful for when malware uses SSL to encrypt traffic to an unusual port.
- Python is loaded dynamically so that if Python fails to load because the user does not have the Visual Studio redistributables the program will continue to execute without Python support.
- The NXDomain feature has been added to the DNS server to return a domain not found message for the first n times that a domain is requested. This is very useful is determining if a malware sample calls out to more than one domain if the first domain is blocked.
- An option to output the text that is sent to the console to a text file as well. Several users have asked for this feature.
- Improvement in the generated .pcap file. Some other programs were having trouble parsing the pcap data because the source and destination address were the same. To resolve this one end of the connection is recorded as 127.0.0.1 and the other end is recorded as 127.0.0.2. Additional TCP handshakes have been added to the packet recpature.
As usual we welcome feedback that could be used to improve the quality of this tool.
I will be signing books at SOURCE Boston. Mandiant has kindly agreed to sponsor the event. The first 20 people to stop by the Mandiant table on Tuesday, April 17th from 4:00 to 4:30pm will receive a FREE copy of Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. If you don’t make it on Tuesday, don’t worry! I’ll do it all over again on Wednesday, April 18th from 5:30 to 6:30pm.
Already own a copy? Stop by and say hello. I would love to hear your feedback and I would be glad to answer any questions you may have.
This was a fun and fast (<150 pages) read. It was a good book for me to read on vacation because you can read it a chapter at a time. Each chapter is an independent story taking you through the journey of finding a single software vulnerability. The author, Tobias Klein, is someone whom I was already familiar with by his website and we even reference his tool ScoopyNG in Chapter 17 of PMA.
For someone new to and interested in finding vulns, reading this will help you identify your gaps really quickly and also tell you if you are going to enjoy this type of work. If you aren’t very excited by the content, then trust me, you don’t want to be an exploit developer. You really need a background in programming and vulnerabilities to comprehend everything in this book. The appendix doesn’t cover enough for a beginner. Having a couple pages on defining a buffer overflow or type conversion error is enough to refresh someone who has done this before, but not enough to teach someone new to the material. The good thing is that if you want to be good at malware analysis you need the same solid C background that you will need to read this book. Long story short – learn C if you want to reverse or bug hunt!