-
Notifications
You must be signed in to change notification settings - Fork 0
chubbymaggie/malnet
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
1. What is MalNET? ------------------ MalNET is a python application to help assist in the diagnosis of machines infected with malware in a corporate environment. MalNET is designed to be a low interaction web server which can be used to communicate with malware attempting to download via http. When an infected host attempts to download badfile.exe from a host which has been blackholed in DNS (more on this later..), the MalNET application will ALWAYS return a "200 OK" response, essentially making the malware downloader believe the malware is on the way. From an incident response perspective all you really want is the URL of the file the malware is attempting to download, for which you can then download yourself and unpack/analyse/scan etc for any follow up. 2. Blackhole DNS ------------------ Many corporate environments and research organisations are now setting up DarkNETs, these are not new. However for much more than the 'ooh, aah' factor and some research statistics they are pretty much useless. Some environments running DarkNETs are now starting to redirect blackholed DNS traffic into their DarkNET, essentially polluting their DarkNET environment. The MalNET application is designed to be used in conjunction with something like the malwaredomains.com blackholed DNS list, redirecting all of your blackholed DNS traffic to the host running MalNET. The files located in the dnsbh folder in MalNET need to be copied onto your BIND server. Then: - Configure the WGET var to use your wget binary - Change the NAMEDB var to the location where your BIND zone files are stored Once this has been done, edit the blockeddomain.hosts hosts by adding in your nameserver address and changing the last occurence of 127.0.0.1 replacing it with your host running malnet.py 3. Usage ------------------ Not much to it really; sudo python ./malnet.py <port> <port> defaults to port 80 if none specified once MalNET has been started, you will see log output to both stderr and a separate log file called malnet.log. The log output will look as follows: [x] Started MalNET HTTP Server [x] Hit Ctrl+C to exit hostpc.domain.net [19/Dec/2010 11:34:21] Host: ['some.malwaredomain.com'] "GET / HTTP/1.1" 200 - ^ visiting host ^ date ^malware domain visited ^ request
About
a python based web server to help track malware infections in corporate environments
Resources
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published