One thing that was frustrating me was the default behavior of the DNS service within INetSim. When a client connects to INetSim to resolve a DNS name the service will always respond with the same fixed IP address.
This is rather annoying when analyzing malwares that use multiple DNS names to connect to multiple command and control servers, or just performing test-connections. As the DNS service replies with the same IP, and the malware establishes a TCP connection to that IP you can't make the relation between the domain name and the communication. There is no clear way for you to know what tcp session, and what communication matches which command and control server.
Except if you hardcode the different domain names in the configuration file of course. However, how do you encode a name in that configuration if you don't know the name yet? Basic static analysis could already have given you a name, however that is likely not the case if the malware was packed with a non-standard packer. So should I first spend loads of time to manually unpack the malware? Or should I run the malware, look at the DNS requests, encode these DNS names in my INetSim, restore from snapshot, re-infect the machine, see new domain names, re-encode them, etc...
Being a lazy person this doesn't motivate me a lot, so when I was following Lenny Zeltser's SANS 610 class some time ago I threw him this question. Fortunately I was not the first one with this frustration and another student if him wrote a python script to do incremental DNS responses and gave me a copy. However I didn't like the idea to use yet-another-additional-tool, so I looked into the code of INetSim and a hack looked easier than expected.
So I wrote a simple patch that added this new functionality:
- for each dns request, a new IP is returned (i++)
- requesting the same dns name twice returns the same IP of course (I save it in the temporary hash with the hardcoded hostnames)
- the start IP is the default IP
- functionality is activated by a configuration flag.
There is however a limitation: once the x.y.z.254 IP is reached the DNS response will stay the same IP.
This patch has been sent to the developers of INetSim, and they were going to look into it to integrate it when they would have a little bit more time. It seems I have forgotten to publish this 5 months old code here.
You can apply the patch using the following commands:
This will output: (the fuzz is because the patch was for INetSim v1.2.2)tar xzf inetsim-1.2.3.tar.gz wget http://documentation.vandeplas.com/inetsim/inetsim_incrementaldns.patch cd inetsim-1.2.3/ patch -p1 < ../inetsim_incrementaldns.patch
Now install INetSim and start it up and perform some DNS queries. We see the responses increment each time, while staying consistent when requesting the same name.patching file conf/inetsim.conf patching file lib/INetSim/Config.pm patching file lib/INetSim/DNS.pm Hunk #1 succeeded at 67 with fuzz 2.