New Tool: FakeNet – Coming Soon!

In Chapter 3 of our book, we discuss strategies for how to use dynamic analysis tools and techniques.  The best way to get started is set up tools to fake the network, which usually includes changing the local DNS server, running a local DNS server such as ApateDNS/FakeDNS, and setting up a second virtual machine with INetSim in order to simulate network services.  I’ve been working on a new tool called FakeNet which will combine all those steps into a single tool with additional features to handle hard coded IP addresses, new protocols, SSL support, and more.  We’ll be releasing the tool on 2/29 during a Mandiant webinar where we’ll be talking about our book and the tool.

FakeNet is designed to make the common tasks of dynamic malware analysis easy, while still having enough flexibility to allow for complex analysis.  FakeNet will allow you to:

  • Redirect all traffic (including traffic to hard coded IP addresses) to the localhost
  • Respond intelligently to requests for popular protocols including DNS, HTTP, and HTTPS
  • Listen to all network traffic on the localhost regardless of port or protocol
  • Easily script malware specific command and control protocols using a Python extension interface
  • Create a packet capture of traffic on the local machine, which is normally a challenge due to Windows architecture features that make this impossible with WinPcap based listeners such as Wireshark

FakeNet is easy to install, doesn’t require a second virtual machine, and makes it easy to capture malware network activity.  We’re currently testing the tool and it’s made our jobs a lot easier.  Once we release the tool it will be freely available on this blog.  Please join us for the  webinar to hear all about how to successfully use FakeNet for malware analysis.

3 thoughts on “New Tool: FakeNet – Coming Soon!

  1. I will be at the Webinar, but can this tool run on external host that can be set as the gateway/dns for the test machine or is it designed soley to be run on the test-host?

    • It was specifically designed to analyze malware within a single VM.

      That being said it’s very configurable and you can configure it to run on an external host that’s set as the DNS server, but not all the features will work. Specifically, traffic sent to hard coded-IP address won’t be seen, the ability to listen for traffic on all ports at once, and the packet capture won’t work. The DNS, HTTP, HTTPS, and python extension servers will all work properly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s