The idea is simple, run both scripts/programs [as administrator/root] on the isolated analysis machine and point the machine's DNS resolution to 127.0.0.1. Any malware beaconing to a domain name rather than direct to an IP address will be shown in the output from fakedns.pl, whilst any HTTP requests on port 80 will be logged and shown by fakeweb.pl. For full capture, obviously run Wireshark and/or TCPDump alongside these programs.
I have seen similar scripts written in Python, though I rather like the simplicity of these and can quite easily modify them to suit my needs (changing port/response etc).
Feel free to modify and share under the terms of the GNU GPL.
Fakedns.pl
Fakeweb.pl
No comments:
Post a Comment