Dynamic Analysis of Malware using "Fake" Web and DNS Servers

A common technique when performing dynamic analysis of potential malware is to actually run it in an isolated virtual machine. I've written two scripts in Perl that serve as a fake DNS server and a basic web server.

The idea is simple, run both scripts/programs [as administrator/root] on the isolated analysis machine and point the machine's DNS resolution to 127.0.0.1. Any malware beaconing to a domain name rather than direct to an IP address will be shown in the output from fakedns.pl, whilst any HTTP requests on port 80 will be logged and shown by fakeweb.pl. For full capture, obviously run Wireshark and/or TCPDump alongside these programs.

I have seen similar scripts written in Python, though I rather like the simplicity of these and can quite easily modify them to suit my needs (changing port/response etc).

Feel free to modify and share under the terms of the GNU GPL.

Fake Web & DNS

Download from the FakeWeb github repository.