Discover what malware is doing online with FakeNet
FakeNet is a clever Windows tool which tries to detect and display common web access attempts on your PC.
The program isn’t just another packet capture tool. Instead FakeNet redirects internet traffic and handles it locally, so you’ll see any attempts to download "www.server.com/trojan.exe" but they won’t succeed.
There’s no installation required. Just unzip the download, launch FakeNet from an elevated command window and it changes your DNS settings to point at localhost.
Collect email, open a browser or do anything else web-related and FakeNet displays the DNS, URL and other details in its console window.
FakeNet responds to some requests itself. It’ll send DNS responses, for instance. Type test.com/test.jpg in your browser and FakeNet serves an image, use test.html and you’ll get a simple text file. This might help persuade your monitored software that it’s online, and able to download any payload.
This worked reasonably well in our tests, with FakeNet detecting and displaying details of HTTP traffic, HTTPS, DNS and ICMP, as well as listening to some common ports (8000, 8080, 1337). We saw what our programs were able to do, but they couldn’t do it.
There are some obvious gaps here. What about other protocols, ports, hard-coded IP addresses? There are some more thorough "capture everything" settings, but they’re XP-only. And FakeNet can be extended to support more protocols, but you’ll need to write Python scripts to do it.
The program needs to be used with caution, too. By default it redirects your DNS settings on launch, but these will only be restored if you close it down properly. If you run FakeNet from an Explorer window, say, and close its command window by clicking the top-right "x", your DNS won’t be restored and you’ll still be offline. (There’s a switch to get your original settings back, but you’ll need to know it exists.)
These aren’t big issues for the target audience. Run FakeNet in a virtual machine, with a snapshot to hand, alongside other forensic tools and it could be very useful. Sounds like you? Give it a try.
FakeNet is an open-source application for Windows XP and later.