Analyze the network behavior of unknown malware samples

The aim of the INetSim project is to perform a quick run-time analysis of the network behavior of unknown malware samples in a laboratory environment.

Modules for the simulation of the following services are included:

  • POP3 / POP3S
  • DNS
  • FTP / FTPS
  • TFTP
  • IRC
  • NTP
  • Ident
  • Finger
  • Syslog
  • Dummy.

INetSim can be run in ‘faketime’ mode to analyze the runtime behaviour of malware which use NTP or Time/Daytime to start specific actions based on the current date and time.

In ‘faketime’ mode, all services using date/time information (e.g. NTP or HTTP) respond with a fake timestamp which is based on a configured delta to current system time. Optionally, this delta can automatically be incremented or decremented by a configured value at specific intervals.

In addition to connection redirection via fake DNS responses, INetSim allows for IP-based redirection of arbitrary connections (tcp and udp). This feature is only available when running INetSim on Linux platforms with Kernel support for packet queueing (Kernel compile time option CONFIG_NETFILTER_NETLINK_QUEUE).

This feature supports static rules for connection redirection based on target IP address, port and/or protocol. INetSim can also act as NAT router for redirection of packets to other hosts. Optionally, the TTL value of IP packets sent to the clients from different “virtual” connection targets can be varied to make traffic look more authentic.

Don't miss