Skip to content
/ malnet Public

a python based web server to help track malware infections in corporate environments

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

chubbymaggie/malnet

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
dnsbh
dnsbh
 
 
README
README
 
 
malnet.py
malnet.py
 
 

Repository files navigation

1. What is MalNET?
------------------
MalNET is a python application to help assist in the diagnosis of machines infected with malware 
in a corporate environment. MalNET is designed to be a low interaction web server which can be 
used to communicate with malware attempting to download via http. When an infected host attempts 
to download badfile.exe from a host which has been blackholed in DNS (more on this later..), the 
MalNET application will ALWAYS return a "200 OK" response, essentially making the malware 
downloader believe the malware is on the way. From an incident response perspective all you really 
want is the URL of the file the malware is attempting to download, for which you can then download 
yourself and unpack/analyse/scan etc for any follow up.

2. Blackhole DNS
------------------
Many corporate environments and research organisations are now setting up DarkNETs, these are not 
new. However for much more than the 'ooh, aah' factor and some research statistics they are pretty 
much useless. Some environments running DarkNETs are now starting to redirect blackholed DNS 
traffic into their DarkNET, essentially polluting their DarkNET environment. The MalNET application 
is designed to be used in conjunction with something like the malwaredomains.com blackholed DNS list, 
redirecting all of your blackholed DNS traffic to the host running MalNET.

The files located in the dnsbh folder in MalNET need to be copied onto your BIND server. Then:

- Configure the WGET var to use your wget binary
- Change the NAMEDB var to the location where your BIND zone files are stored

Once this has been done, edit the blockeddomain.hosts hosts by adding in your nameserver address 
and changing the last occurence of 127.0.0.1 replacing it with your host running malnet.py

3. Usage
------------------
Not much to it really;

sudo python ./malnet.py <port>

<port> defaults to port 80 if none specified

once MalNET has been started, you will see log output to both stderr and a separate log file called 
malnet.log. The log output will look as follows:

[x] Started MalNET HTTP Server
[x] Hit Ctrl+C to exit
hostpc.domain.net [19/Dec/2010 11:34:21] Host: ['some.malwaredomain.com'] "GET / HTTP/1.1" 200 -

^ visiting host     ^ date                         ^malware domain visited  ^ request

About

a python based web server to help track malware infections in corporate environments

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages