Counterfeiting the Pipes with FakeNet 2.0

Counterfeiting the Pipes with FakeNet 2.0

From BruCON 2017

Jump to: navigation, search

Successful dynamic analysis of malware is dependent on your ability to “Fake the Network”. Tricking malware into thinking it is connected to the Internet allows you efficiently capture network signatures. FakeNet is a free and easy-to-use network simulation tool designed for Windows. In this workshop, I will publicly release FakeNet 2.0 and teach you how it operates.

Attendees will learn the following practical skills:

- Use FakeNet to mimic common protocols like HTTP, SSL, and DNS - Quickly reconfigure FakeNet to have success defeating malware - How FakeNet uses Windows Internals - Use process tracking, which allows you to quickly identify the process responsible for the malicious network activity - How FakeNet automatically logs network traffic to PCAP without the need for additional tools

Bring your Windows malware analysis Virtual Machine or I’ll provide one for you. The hands-on section of this workshop forces you to analyze real world malware samples to tease out network-based malware signatures. These challenges start at a basic level and progress until you dive into how to extend FakeNet by writing a Python Extension for a custom malware protocol.