Sooooo bright and shiny always works and when a colleague suggested that i check out Fakenet, I dropped everything else I was doing to take a look ... and thought why not do a follow up blog post on it!
"FakeNet is a tool that aids in the dynamic analysis of malicious software". Fakenet runs inside the guest VM so there is no need for multiple systems to analyse the malware. FakeNet was designed and developed by Andrew Honig. The most current release is 1.0 and that was released in July 2012. There hasn't been much in the way of movement from them since December 2012, but hopefully this isn't the end of Fakenet just yet.
You can download the latest version of Fakenet from Sourceforge and there is also a demo video that you can watch.
First thing is first though, I wanted to set up my analysis virtual machine ready to go. I'm using VMWare Workstation to create the analysis machine with Windows XP SP3. I've created the machine with 2GB RAM (being generous), and only 1 CPU, we're not going to be asking too much of this virtual machine. I've given it a 20GB hard drive that will expand on demand.
It's worthwhile noting here that many malware creators now have implemented virtual machine detection to prevent malware from running in a virtualised environment. There are some steps that you can take to help quieten down your VMware instance. Tom Liston and Ed Skoudis did a night presentation at SANS on the very topic and you can read their paper here and I also just came across a blog post here for hardening Cuckoo against VM aware malware.
At a minimum I was recommended to uninstall VMware tools and change the default MAC address. I've also set the networking to be host only and disabled Automatic Updates to keep the system vulnerable.
So once you have your virtual machine all ready to go, its time to take a look at Fakenet. There is a Readme instruction file included in the zip, some useful information from that file;
The default configuration will modify the DNS settings of the local machine to point to local host. It will also install hooks into the windows socket interface to redirect traffic destined for hard coded IPs to the local machine. The following services are enabled by the default configuration:
- DNS Server on UDP port 53. The DNS server responds to all requests with the IP 127.0.0.1 to redirect all requests to the local machine
- HTTP Server on TCP ports 80, 8080, and 8000. This responds to all get request with a default file based on the extension of the request
- HTTPS Server to TCP ports 443 and 8443. This behaves the same as the HTTP server, but uses SSL
- SMTP Server on TCP port 25 implemented as a python extension and SMTP over SSL on TCP port 465
- ICMP Server that listens for ICMP traffic
- Dummy service that listens on all other ports, autodetects SSL and decrypts if necessary, and outputs the received data to the screen.
ZeroAccess
So without further delay I have run the ZeroAccess malware I have in Fakenet to see the network activity logged and recorded.First thing is first, need to start up Fakenet in a command window;
Starting fakenet.exe |
Running the malware |
- "Redirecting a socket destined for 85.17.239.212 to localhost"; and
- "Received new connection on port: 80"
Fakenet output |
File Details from Malwr.com
When this piece of malware is executed, the first thing we see is a beacon sent out to 85.17.239.212; presumably a "hello I'm here" (as outlined in Dr Fu's Security Blog - Section 10. Contact Malicious Server), as well as a connection to intensedive.com on port 80 with a GET request to download the FakeAV application;
"GET /install/setup.php?m=000c299b60aa&i=1&id=110001800 HTTP/1.1\\r\\n"
The picture below shows an excerpt from Wireshark showing the traffic captured.
Packet capture details in wireshark |
Results from www.malwr.com |
Agobot
Agoboto is an IRC bot for Win32 systems. There are several thousand variants of Agobot. Once again I uploaded the same executable to www.malwr.com as i used in my Fakenet sandbox to compare the network results.File Details from malwr.com
From malwr.com we can see that a connection to "bots.unixcon.net" is attempted (pictured below).What is nice about the information that Fakenet has given us is that we see the connection is made over TCP port 9900.
Agobot information from Fakenet |
NICK icglgj
USER icglgj XXXXXX-5730C82D server :icglgj
QUIT :Bye!
as well as
NICK qmjvf
USER qmjvf XXXXXX-5730C82D server :qmjvf
This information is very handy, and of course you can collect the packets if you have your own setup of Cuckoo to play with and capture. Perhaps I'll cover that next time.