FakeBait was born out of the process of AV replacement. As we approached a growing need of replacing our current AV vendor we have started considering various aspects of the new AV we might need. As there were no "tools" in order to evaluate the efficiency of an AV package, from detection and up to communication mitigation we have created this little script.
As modous di operandi we have chosen to test several detection and mitigation responsibilities in various ways.
- This package arrives we several malwares prepacked in ZIP format. The archives are encrypted with the very complex and secure password of
infected
which no AV could ever guess. - fakebait will then decompress these malwares one by one and wait for a short period of time and then test to see if the file extracted still located. In a case the file has been removed fakebait will assume the removal we done due to detection by the AV.
- The EICAR test is using the EICAR file to drop it in various ways to see if they are being picked up at any point.
- The tests which are done are:
- Get the EICAR file from the EICAR URL.
- Write it to a file as Base64.
- Write to a file as Plain Text.
- Append it to a small PNG.
- Gzip it and save to a file.
- Create a ZIP file with size of
3.1415 GB
and put it there as well.
This one is kind of straight forward, got a list of malware sites (serving or C&C) - try and do the following stages and see where and when the script is failing:
DNS Resolution --> Connect to Port 80/tcp --> Do a GET
Request
TBD.