Use ICMP instead of HTTP for testing the connection

d35ha · d35ha · commit dc74d59a2b53 · 2025-02-03T13:56:36.000+04:00
Using ping instead of checking the status of multiple websites for detecting the internet connection:

- The original approach to detect the internet connection was to send HTTP requests to a hard-coded list of websites and check the return (ex. status code, website content, ...).
- The original approach produces much traces (HTTP requests/responses with so many packets and DNS resolution) that interferes with the dynamic malware analysis tools causing a lot of confusion.
- In this commit, ICMP is used instead by pinging a hard-coded list of public DNS servers and to check if any of them is alive.
- The new approach ensures less traces (2 packets/request) and efficient detection (no DNS resolution is needed).
diff --git a/packages/fakenet-ng.vm/fakenet-ng.vm.nuspec b/packages/fakenet-ng.vm/fakenet-ng.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2011/08/nuspec.xsd">
   <metadata>
     <id>fakenet-ng.vm</id>
-    <version>3.3.0.20250117</version>
+    <version>3.3.0.20250128</version>
     <description>FakeNet-NG is a dynamic network analysis tool.</description>
     <authors>Mandiant</authors>
     <dependencies>
diff --git a/packages/fakenet-ng.vm/tools/chocolateyinstall.ps1 b/packages/fakenet-ng.vm/tools/chocolateyinstall.ps1
@@ -37,8 +37,8 @@ try {
 
   # Replace `default.ini` with our modified one that includes change for 'internet_detector'.
   # IMPORTANT: Keep our modified `default.ini` in-sync on updates to package.
-  $fakenetConfigDir = Get-ChildItem "C:\Tools\fakenet\*\configs"
-  Copy-Item "$packageToolDir\default.ini" -Destination $fakenetConfigDir
+  # Do not remove the version in the path to avoid replacing the config file of another version.
+  Copy-Item "$packageToolDir\default.ini" -Destination "$Env:RAW_TOOLS_DIR\fakenet\fakenet3.3\configs"
 
   # Create shortcut in Desktop to FakeNet tool directory
   $desktopShortcut  = Join-Path ${Env:UserProfile} "Desktop\fakenet_logs.lnk"
diff --git a/packages/internet_detector.vm/internet_detector.vm.nuspec b/packages/internet_detector.vm/internet_detector.vm.nuspec
@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
   <metadata>
     <id>internet_detector.vm</id>
-    <version>1.0.0.20241217</version>
+    <version>1.0.0.20250128</version>
     <authors>Elliot Chernofsky and Ana Martinez Gomez</authors>
     <description>Tool that changes the background and a taskbar icon if it detects internet connectivity</description>
     <dependencies>
diff --git a/packages/internet_detector.vm/tools/chocolateyinstall.ps1 b/packages/internet_detector.vm/tools/chocolateyinstall.ps1
@@ -11,7 +11,7 @@ New-Item -Path $toolDir -ItemType Directory -Force -ea 0
 VM-Assert-Path $toolDir
 
 # Install pyinstaller 6.11.1 (needed to build the Python executable with a version capable of executing in admin cmd) and tool dependencies ('pywin32')
-$dependencies = "pyinstaller==6.11.1,pywin32"
+$dependencies = "pyinstaller==6.11.1,pywin32==308,icmplib==3.0.4"
 VM-Pip-Install $dependencies
 
 # This wrapper is needed because PyInstaller emits an error when running as admin and this mitigates the issue.
diff --git a/packages/internet_detector.vm/tools/internet_detector.pyw b/packages/internet_detector.vm/tools/internet_detector.pyw
@@ -1,4 +1,4 @@
-# This tool checks if internet connectivity exists by reaching out to specific websites and checking if they return expected values and
+# This tool checks if internet connectivity exists by pinging some of the well-known public DNS servers
 # display the current state via changes to the background, theme, and icon in the taskbar.
 #   * It works even with a tool like FakeNet running (provided it uses the default configuration)
 # If internet is detected, the tool:
@@ -20,8 +20,7 @@ import winerror
 import winreg
 
 import threading
-import requests
-import urllib3
+import icmplib
 import signal
 import ctypes
 import time
@@ -30,12 +29,19 @@ import re
 
 # Define constants
 CHECK_INTERVAL = 2  # Seconds
-CONNECT_TEST_URL_AND_RESPONSES = {
-    "https://www.msftconnecttest.com/connecttest.txt": "Microsoft Connect Test",  # HTTPS Test #1
-    "http://www.google.com": "Google",  # HTTP Test
-    "https://www.wikipedia.com": "Wikipedia",  # HTTPS Test #2
-    "https://www.youtube.com": "YouTube",  # HTTPS Test #3
-}
+
+# - ICMP is a faster and a more-efficient way for checking the connection
+#   as it has a minimal fingerprint of 2 packets (echo/reply) per request.
+# - IP addresses are used instead of well-known websites or domains so
+#   no DNS resolution is needed.
+# - The used IP addresses are some of the largest public DNS servers to
+#   ensure zero or minimal downtime.
+TEST_IPS = [
+    "8.8.8.8",  # Google
+    "8.8.4.4",  # Google
+    "1.1.1.1",  # Cloudflare
+    "1.0.0.1"   # Cloudflare
+]
 SPI_SETDESKWALLPAPER = 20
 SPIF_UPDATEINIFILE = 0x01
 SPIF_SENDWININICHANGE = 0x02
@@ -306,12 +312,12 @@ def extract_title(data):
         return None
 
 def check_internet():
-    for url, expected_response in CONNECT_TEST_URL_AND_RESPONSES.items():
+    for ip_address in TEST_IPS:
         try:
             # Perform internet connectivity tests
-            response = requests.get(url, timeout=5, verify=False)
-            if expected_response in (extract_title(response.text) or response.text):
-                print(f"Internet connectivity detected via URL: {url}")
+            ip_host = icmplib.ping(ip_address, 1)
+            if ip_host.is_alive:
+                print(f"Internet connectivity detected via IP: {ip_address}")
                 return True
         except:
             pass
@@ -468,7 +474,6 @@ def main_loop():
 
 if __name__ == "__main__":
     signal.signal(signal.SIGINT, signal_handler)
-    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
     default_transparency = get_transparency_effects()
 
     # Try to load default settings from the registry
