Thursday, November 12, 2009

INetSim

INetSim (http://www.inetsim.org/) is a linux tool that will simulate common internet services (i.e. FTP, DNS, HTTP) for a lab environment.  You can use this tool while doing malware analysis to respond to most common internet communication that the malware might want.  You can easily respond to web requests, DNS queries, FTP/TFTP, etc.

Once you get the too installed and working, it has a default set of files it will respond with as well.  For example, if your malware requests an executable mybadsite.com/new_malware.exe, inetsim has a default executable that it will serve up in response.

In my environment, I have an Ubuntu 9 VM that I will use for this.

Step 1:  get all the perl libraries
> perl -MCPAN -e shell
cpan> install Net::Server
cpan> install IO::Select
cpan> install IO::Socket
cpan> install Digest::SHA1

I tried to use cpan to install Net::DNS and IPC::Shareable, but kept getting errors

Installing by hand:
download the libraries Net::DNS and IPC::Shareable

> tar zxvf IPC-Shareable-0.60.tar.gz
> cd IPC-Shareable-0.60
> perl Makefile.PL
> make
> make test                ** I got failed tests here, but installed anyway ** 
> make install
> tar zxvf Net-DNS-0.65.tar.gz
> cd Net-DNS-0.65
> perl Makefile.PL
> make
> make test                ** I got failed tests here, but installed anyway **
> make install
 
downloaded inetsim (i put it in /usr/local)
> cd /usr/local/
> tar zxvf inetsim-1.1.tar.gz
> mv inetsim-1.1 inetsim
> cd inetsim
> groupadd inetsim
> sh setup.sh

that's it for the install!

I had to make a few minor changes to the conf/inetsim.conf file:

service_bind_address 
dns_default_ip  

finally, I changed my victim VMs DNS server address to the machine running inetsim.

After that, it's done.  Very cool stuff -- this should cut down on the time it takes to get info from malware.

No comments:

Post a Comment