FakeNet

FakeNet – Download

FakeNet is a tool that aids in the dynamic analysis of malicious software.  The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.  The goal of the project is to:

  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration

The tool is in its infancy of development.  We started working on the tool in January 2012 and we intend to maintain the tool and add new and useful features.  If you find a bug or have a cool feature you think would improve the tool please contact us.

Features

  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc.  The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.

Demo Video

Click here to watch a demo of version 0.9 of the tool in action.

How it works

FakeNet uses a variety of Windows and third party libraries.  It uses a custom HTTP and DNS server to respond to those request.  It uses OpenSSL to wrap any connection with SSL.  It uses a Winsock Layered Service Provider (LSP) to redirect traffic to the localhost and to listen for traffic on new ports.  It uses python 2.7 for the python extensions.  And, it creates the .pcap file by reconstructing a packet header based on the traffic from send/recv calls.

Credits

  • Software design and development: Andrew Honig
  • Feature design and project management: Mike Sikorski
  • Code review and testing: John Laliberte and Niles Akens

License

The product is free to download and use subject to the End User License Agreement (EULA).

32 thoughts on “FakeNet

  1. I like to tool, and the fact it is light. I appreciate it is very early days for the application. I absolutely love the book. I have noticed two issues that prevent me from successfully using Fakenet for Practical Malware Analysis.
    1. The program will attempt to serve large files if it receives a GET request. Packets over 64k are invalid under HTTP protocol, but Fakenet attempts to send the whole file in one packet it seems.
    2. My malware wants to POST a file, but Fakenet won’t accept and save it to disk. With some effort I can probably piece all the packets from the pcap together and rebuild it – but I wish Fakenet would do that.
    Paul

    • Thanks for the comment. We appreciate your feedback.

      Both issues will be addressed in version 1.0 which we’re planning to release by the end of July. I’ll change the HTTP responses to send smaller chunks of data at a time, and I’ll add an option to the HTTPListener to save all POST requests to a separate file. The HTTP post issue has been on my todo list for a while now, but we weren’t sure what to do with the data. Right now I’m planning on a configurable option that when set saves each HTTP post request as its own file. The file will be named with a prefix of some sort and then a timestamp and no extension. If you have another suggestion on how you’d like to see it operate, I’m all ears.

      • Perhaps dump the data into a list view and allow the user to save what portion it wants, dump the rest.. using temporary storage and compression mechanisms to save memory (and disk space)

  2. Wow amazing stuff guys. I’m in chapter 5 now of the book and absolutely loving it. I’ve only had the book for a few weeks but it looks about 5 years old. I’m a malware removal specialist and this just brings my understanding of how it all works to another level. Keep up the great work!!!
    David aka IndiGenus

  3. Pingback: Basic Dynamic Analysis Patterns | Doty Labs

  4. Pingback: Fakenet - Delphi-PRAXiS

  5. Pingback: Anonymous

  6. Need a tool to make all settings like it was before i started and the app crashed.
    fakenet -r doesnt worked.
    scn /scannow found and replaced dlls.
    is there a way for a complete reset ?

    • Fakenet doesn’t modify any DLLs on the system, so I’m not sure what to make of your comment about scn /scannow. Fakenet -r should remove all the setting changes that were made by the tool. It’s designed to be run in a VM, so you could certainly revert to a snapshot if you wanted a “complete reset.” If there’s a bug, then are you willing to provide additional debugging information to help me identify and fix the bug?

  7. Just saw the demo. Awesome tool. The Cmd.exe console displays a lot of information. How do I launch fakenet so that console output is also recorded to file? On Linux I’d normally do fakenet.exe | tee filename.txt.

    • Fakenet can dump it’s output to a file based on a configurable feature. In the config file there’s a line that says
      OutputOptions DumpOutput:No Fileprefix:output

      Change the No to a yes, and change the Fileprefix to the name of the output file. The filename you specified will be appended with the date/time of the start of the capture.

  8. Would it be possible in the next version to have something like an -o swtich to specify a directory where we would like to save the captures and dumps? If not a switch, then maybe an option in the config file? Just a suggestion. Great job on the book and tool!

  9. Pingback: Digital Forensics Case Leads: Plugins galore, Adobe and phpMyAdmin hacked, Sophos AV eats its own head.

  10. I think that a nice feature to have it the PID that initiated the network activity, if you have that ability then the tool can be used for analyzing network issues too not just for malware analysis.

    Thanks.

    • Thanks for the comment. That’s a good suggestion and I definitely plan on doing something like that. I’ve been a little busy lately so I haven’t had a lot of time to work on fakenet. It’s actually not a trivial fix because you don’t get the PID of the other process just from listening for traffic, so I’d need to pass around some data between processes and deal with some synchronization issues.

  11. I am starting school at Western Governors University in November, and found your book in their library, under Computer Security (my major is IT with Security emphasis.) However, based on most of the course materials and certifications in their program, malware analysis doesn’t look to be like a huge topic, although they do look like they’ll touch on the necessary malware removal, etc.

    Anyway, I’m only in the first chapter of the book right now, but definitely plan to continue reading it. Malware analysis is something that I have actually been interested in for a long time. All aspects of security and the “hacker” culture interest me, but Malware has always been one that I’ve been interested in, and I’ve never really had anything that could aid and instruct me in analysis. I’ve been good at AVOIDING malware, and good at REMOVING malware (without the help of antimalware tools in fact), and I have managed to do some BASIC analysis with network monitoring software, and running programs through vms on linux, etc. This book just looks like a great way to build knowledge on something I’m legitimately interested in! For that I thank you.

    Question/comment though: Why is the malware written for the labs only sure to work on winxp? If this book was published in February of 2012, wouldn’t it have made sense to prepare it for Windows 7 or at least vista? At any rate, will you prepare labs, or release the next volume geared toward newer versions of windows? Don’t get me wrong, your book is useful as is – I have an old copy of XP that I plan to install on a VM to run through the labs. I just thought it may be prudent to educate people on malware analysis using labs that will work in systems that are more predominant now.

    Great job though guys, very impressive! Thanks!

    • Thanks for the comment and I’m glad you’re enjoying the book. The reason we choose XP is a few reasons, first of all a lot of malware still focuses on XP and a lot of corporations and governments still use XP, so that’s what Mike and I see a lot. Also the book took a long time to write and review. When we started the book (about 2 years before it was published) XP was still a lot more popular.

  12. Is there a way to have fakenet give the malware the files its asking for? For example I have malware requesting cfg.bin file. I can go to the source and download the file but I want to be able to give that file to the malware to see what it will do with it. Any ideas on this?

  13. I am a computer security consultant and I recently ran across the FakeNet tool. It’s great software and I want to thank everyone involved for writing it and releasing it to us “good guys” so we have a fighting chance. One question though… I am currently working with a piece of malware that is “VM Aware” (think Blue Pill) and I need to run it in its own computer. Any ideas how I can use FakeNet on another computer in the sandboxed lab network? In particular, I need DNS to work because the malware requires a 404 error from Google before it proceeds. Any help or comments are ver welcomed.

    • You can run FakeNet on a computer that isn’t running VMware and still run it on the same system as the malware. You can also run FakeNet on a separate system as well fairly easily. Just change the DNS settings on the victim system to point to the Fakenet system and change the DNS settings in FakeNet.cfg to point to the FakeNet system.

      Also, by default FakeNet doesn’t serve 404 pages ever. You can serve the 404 error page by setting as the default HTML page for Fakenet, but if you want to actually send a 404 error you’ll need to use the python extension to write a short python script.

  14. Pingback: Fakenet | freie-welt.com

  15. Pingback: Encontrando información útil de una botnet | SECURITY-EC

  16. Pingback: Encontrando información útil de una botnet » Todociber 5.0

  17. I’ve used this tool in anger way back in 2012. I’m not a malware expert, but I work in info security and we’re treated somewhat like monkeys in my organisation “you know how computer works, GO FIX!” so was thrown an infected laptop to play with for a bit.

    Just posting to say this tool was key in identifying the malware infection I was dealing with, quickly gave me URLs to scan for in volatility, allowed me to safely allow the malware to “pretend” to be on the internet.

    Due to the URLs/UserAgents harvested provided my NOC with some search terms to identify other infected hosts on the network.

    Add in more strings found within the processes referencing those URLs and I was able to identify the infection.

    Top bit of kit, blows Mandiant’s ApateDNS out of the water for the usefulness of it. Nice job, well done!

  18. Hey guys,

    First of all, FakeNet really rocks! I’ve deeply tested your tool and have written a nice post on my mediawiki here: http://www.aldeid.com/wiki/FakeNet. It would be really great if you guys would mention it somewhere :).

    Also I’d like to mention 2 minor things:
    - I’ve downloaded the latest version (Fakenet1.0c) but once uncompressed, it creates a directory with the old Fakenet1.0b reference.
    - The help mentions that the listeners should be in the following order: HTTPListener, DNSListener, RawListener, ICMPListener, PythonListener. I think DNSListener should rather come first, followed by HTTPListener. Am I correct?

    Really great job!

  19. Pingback: ESET Challenge Part 2 | Eric Hokanson

  20. Pingback: ESET CrackMe 2013 Challenge Solved! | Eric Hokanson

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s