In Chapter 3 of our book, we discuss strategies for how to use dynamic analysis tools and techniques. The best way to get started is set up tools to fake the network, which usually includes changing the local DNS server, running a local DNS server such as ApateDNS/FakeDNS, and setting up a second virtual machine with INetSim in order to simulate network services. I’ve been working on a new tool called FakeNet which will combine all those steps into a single tool with additional features to handle hard coded IP addresses, new protocols, SSL support, and more. We’ll be releasing the tool on 2/29 during a Mandiant webinar where we’ll be talking about our book and the tool.
FakeNet is designed to make the common tasks of dynamic malware analysis easy, while still having enough flexibility to allow for complex analysis. FakeNet will allow you to:
- Redirect all traffic (including traffic to hard coded IP addresses) to the localhost
- Respond intelligently to requests for popular protocols including DNS, HTTP, and HTTPS
- Listen to all network traffic on the localhost regardless of port or protocol
- Easily script malware specific command and control protocols using a Python extension interface
- Create a packet capture of traffic on the local machine, which is normally a challenge due to Windows architecture features that make this impossible with WinPcap based listeners such as Wireshark
FakeNet is easy to install, doesn’t require a second virtual machine, and makes it easy to capture malware network activity. We’re currently testing the tool and it’s made our jobs a lot easier. Once we release the tool it will be freely available on this blog. Please join us for the webinar to hear all about how to successfully use FakeNet for malware analysis.