INetSim is a software suite for simulating common internet services in a lab environment. It is useful for behavioral analysis of Malware samples that require a given service to be active on a remote server in order to execute as expected, but you don’t want to have the sample actually connect to the Internet or the service it expects is down. Examples would be a spam bot (Cutwail, Asprox, etc) that you don’t want sending spam to innocent victims, or a downloader Trojan where the domain is already down but you want to know the URL that used to host the secondary payload. INetSim supports HTTP/HTTPS, SMTP/SMTPS, POP3/POP3S, DNS, FTP/FTPS, TFTP, IRC, and NTP among others.
Here is a step-by-step howto for installing INetSim on Ubuntu:
Install the requirements and add inetsim group:
apt-get install perl perl-base perl-modules libnet-server-perl libnet-dns-perl libipc-shareable-perl libio-socket-ssl-perl libiptables-ipv4-ipqueue-perl groupadd inetsim
Add this line to your /etc/apt/sources.list file:
deb http://www.inetsim.org/debian/ binary/
Add the INetSim.org Archive Signing Key to your apt keyring:
wget -O - http://www.inetsim.org/inetsim.org-archive-signing-key.asc | apt-key add - aptitude update aptitude install inetsim
Edit inetsim.conf:
Set your server IP address as the service_bind_address
service_bind_address 192.168.1.105
If you want all DNS requests from the victim machine to resolve to your fake server, set the IP of your fake server as the dns_default_ip
dns_default_ip 192.168.1.105
Next comment out any services you don’t need in the start_service section.
Before you run INetSim you will need to stop any processes that might be listening already on the fake ports (apache2 etc.)
service apache2 stop
Next you will need to configure your VM or victim machine to use the inetsim box as the preferred DNS server. Please see this post for information on how to do this: http://precisionsec.com/virtualbox-host-only-network-cuckoo-sandbox-0-4-2/
Run inetsim (as root):
/usr/bin/inetsim
INetSim also offers the ability to serve up fake files. For instance to define a config file to be downloaded by an XtremeRAT Trojan:
http_fakefile functions 1234567890.functions
Sign up for Free Email Updates
Enter your name and email below to sign up for free daily email updates.
[inbound_forms id=”2447″ name=”Contact Form”]
