Skip to content
Reverse Engineering
Anti-Analysisbeginner

Internet Connectivity Check

Malware probes real outbound connectivity and bails when it hits the fake or filtered internet that analysis sandboxes commonly simulate.

Many sandboxes either cut internet access entirely or fake it with a simulated network (INetSim, FakeNet) that answers every request with a canned reply. Malware exploits both extremes: it expects real, selective connectivity, and a sandbox that gives "no internet" or "internet for everything" both look wrong.

A connectivity probe is a cheap, low-signal gate. If the world looks fake, the sample sleeps, exits, or withholds its real payload — denying the analyst the behaviour they were hoping to capture.

How it works

A common pattern requests a well-known, high-reputation URL and validates the response. A page that should not exist returning 200, or a request to a random non-existent domain succeeding, both reveal a fake-internet sandbox.

c
// Expect a REAL connection to a known host, and a FAKE host to fail.
if (!InternetCheckConnectionA("http://www.microsoft.com",
                              FLAG_ICC_FORCE_CONNECTION, 0)) {
    no_internet();            // isolated sandbox -> bail
}

// FakeNet/INetSim answer everything: a junk domain should NOT resolve.
struct hostent *he = gethostbyname("thisdomaindoesnotexist-xz9q.test");
if (he != NULL) {
    fake_internet_detected(); // every lookup "works" -> sandbox
}

On Linux the same logic uses getaddrinfo plus a raw socket connect, often to a hard-coded IP, checking that an unroutable or bogus host genuinely fails.

c
struct addrinfo *res;
if (getaddrinfo("203.0.113.250", "80", NULL, &res) == 0) {
    // TEST-NET address resolving/connecting is suspicious.
    fake_internet_detected();
}

Detection & analysis

Static analysis: Look for InternetCheckConnection, InternetOpenUrl, WinHttpConnect, gethostbyname/getaddrinfo, or socket APIs targeting well-known domains alongside obviously-bogus hostnames. Hard-coded reputable URLs paired with random-looking domains are a hallmark of this check.

Dynamic analysis: Watch DNS and HTTP traffic in your sandbox. If the sample probes a junk domain and exits when it resolves, your fake-internet layer is too permissive — make non-existent hosts fail (NXDOMAIN) while whitelisting the specific C2 lookups you want to observe. Tune INetSim/FakeNet to mimic selective real-world connectivity.

Detection rule hint: Alert when a process performs an early reachability probe — especially mixing a known-good URL with a clearly non-existent domain — and then branches to Sleep/ExitProcess based on the result.

Votes

Comments(0)