Counterfeiting the Pipes with FakeNet 2.0

Presented at Black Hat Europe 2014, Oct. 17, 2014, 11:45 a.m. (210 minutes)

Successful dynamic analysis of malware is dependent on your ability to "Fake the Network." Tricking malware into thinking it is connected to the Internet allows you to efficiently capture network signatures. FakeNet is a free and easy-to-use network simulation tool designed for Windows. In this workshop, we will publically release FakeNet 2.0 and teach you how it operates. Attendees will learn the following practical skills: - Use FakeNet to mimic common protocols like HTTP, SSL, and DNS - Quickly reconfigure FakeNet to have success defeating malware - How FakeNet uses Windows Internals - Use process tracking, which allows you to quickly identify the process responsible for the malicious network activity - How FakeNet automatically logs network traffic to PCAP without the need for additional tools Bring your Windows malware analysis Virtual Machine or we'll provide one for you. The hands-on section of this workshop forces you to analyze real world malware samples to tease out network-based malware signatures. These challenges start at a basic level and progress until you dive into how to extend FakeNet by writing a Python Extension for a custom malware protocol.

Presenters:

• Andrew Honig - Google
  Andrew Honig is a software security engineer for Google and a tech lead on the cloud security team where he works on virtualization and kernel security. He spent eight years with the National Security Agency where he taught courses on software analysis, reverse engineering, and Windows system programming at the National Cryptologic School. He discovered several vulnerabilities in virtualization software including VM escapes in VMware and KVM. He's the co-author of "Practical Malware Analysis" and developer of the FakeNet malware analysis tool.
• Michael Sikorski - Mandiant/FireEye
  Michael Sikorski is a Technical Director and Manager of the FireEye Labs Advanced Reverse Engineering (FLARE) Team. He leads the Malware Analysis Team through reverse engineering malware as a primary analyst and manages the overall workflow and process used by the team. Mike created a series of courses in malware analysis and teaches them to a variety of audiences including the FBI, NSA, and Black Hat. He is co-author of the book "Practical Malware Analysis," which is published by No Starch Press. Mike came to FireEye through its acquisition of Mandiant, where he worked for seven years. Prior to Mandiant, Mike worked for MIT Lincoln Laboratory and the National Security Agency. He is a graduate of the NSA's three-year Systems and Network Interdisciplinary Program (SNIP), Johns Hopkins University, and Columbia University.

Links:

• https://www.blackhat.com/eu-14/briefings.html#Sikorski
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Counterfeiting the Pipes with FakeNet 2.0 (Part 1 2).mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Counterfeiting the Pipes with FakeNet 2.0 (Part 2 2).mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Counterfeiting the Pipes with FakeNet 2.0 (Part 1 2).srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Counterfeiting the Pipes with FakeNet 2.0 (Part 2 2).srt (subtitles)
• https://www.youtube.com/watch?v=h0CX-D-QAY8
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Sikorski-Counterfeiting-The-Pipes-With-FakeNet-2-0.pdf

Similar Presentations:

• BalCCon2k22 - Loading (2022) / Malware Analysis Workshop 1
• ekoparty 14 (2018) / To Execute or Not to Execute. How to Build a Malware Execution Lab
• DerbyCon 3.0 All in the Family (2013) / The Malware Management Framework, a process you can use to find advanced malware. We found WinNTI with it!