INetSim is a free, Linux-based software suite for simulating common Internet services. The easiest way to run INetSim if your base operating system is Microsoft Windows is to install it on a Linux virtual machine and set it up on the same virtual network as your malware analysis virtual machine.
INetSim is the best free tool for providing fake services, allowing you to analyze the network behavior of unknown malware samples by emulating services such as HTTP, HTTPS, FTP, IRC, DNS, SMTP, and others. Example 3-3 displays all services that INetSim emulates by default, all of which (including the default ports used) are shown here as the program is starting up.
Example 3-3. INetSim default emulated services
* dns 53/udp/tcp - started (PID 9992) * http 80/tcp - started (PID 9993) * https 443/tcp - started (PID 9994) * smtp 25/tcp - started (PID 9995) * irc 6667/tcp - started (PID 10002) * smtps 465/tcp - started (PID 9996) * ntp 123/udp - started (PID 10003) * pop3 110/tcp - started (PID 9997) * finger 79/tcp - started (PID 10004) * syslog 514/udp - started (PID 10006) * tftp 69/udp - started (PID 10001) * pop3s 995/tcp - started (PID 9998) * time 37/tcp - started (PID 10007) * ftp 21/tcp - started (PID 9999) * ident 113/tcp - started (PID 10005) * time 37/udp - started (PID 10008) * ftps 990/tcp - started (PID 10000) * daytime 13/tcp - started (PID 10009) * daytime 13/udp - started (PID 10010) * echo 7/tcp - started (PID 10011) * echo 7/udp - started (PID 10012) * discard 9/udp - started (PID 10014) * discard 9/tcp - started (PID 10013) * quotd 17/tcp - started (PID 10015) * quotd 17/udp - started (PID 10016) * chargen 19/tcp - started (PID 10017) * dummy 1/udp - started (PID 10020) * chargen 19/udp - started (PID 10018) * dummy 1/tcp - started (PID 10019)
INetSim does its best to look like a real server, and it has many easily configurable features to ensure success. For example, by default, it returns the banner of Microsoft IIS web server if is it scanned.
Some of INetSim’s best features are built into its HTTP and HTTPS server simulation. For example, INetSim can serve almost any file requested. For example, if a piece of malware requests a JPEG from a website to continue its operation, INetSim will respond with a properly formatted JPEG. Although that image might not be the file your malware is looking for, the server does not return a 404 or another error, and its response, even if incorrect, can keep the malware running.
INetSim can also record all inbound requests and connections, which you’ll find particularly useful for determining whether the malware is connected to a standard service or to see the requests it is making. And INetSim is extremely configurable. For example, you can set the page or item returned after a request, so if you realize that your subject malware is looking for a particular web page before it will continue execution, you can provide that page. You can also modify the port on which various services listen, which can be useful if malware is using nonstandard ports.
And because INetSim is built with malware analysis in mind, it offers many unique features, such as its Dummy service, a feature that logs all data received from the client, regardless of the port. The Dummy service is most useful for capturing all traffic sent from the client to ports not bound to any other service module. You can use it to record all ports to which the malware connects and the corresponding data that is sent. At least the TCP handshake will complete, and additional data can be gathered.