What are the best ways to fake a web server

I always like netcat for this kind of thing. In this instance you could create a copy of the real response from the C&C server using

nc candcserver.com 80

submit the headers you want to pass on the command line, press enter twice, and save it to a text file, and then serve up the file you just created using

while true; do sudo nc -l 80 < capturedpage.txt; done

and point the app your testing at 127.0.0.1

There might be some products which are capable of doing this, but I've written similar proxy myself where I wanted to serve local contents rather than remote for some uri's.

Here is a modification of my code written in python. It is based on the twisted library, so you might want to get it from here.

It will match for URL's with the netloc part equal to "security.stackexchange.com" and replace it with "www.xkcd.org".

I hope you are familiar with python, so you can add more functionality in this code. It should be easy to add logging, dynamically rewrite uri's and such.

Also, if you want to modify content in-transit from the malware and the C&C, take a look at my contribution for a content rewriting proxy: https://stackoverflow.com/questions/6491932/need-help-writing-a-twisted-proxy/6521024#6521024

from twisted.web import proxy, http
from twisted.internet import reactor

from urlparse import urlparse, urlunparse
fakeweb_netloc = "www.xkcd.org"
cc_netloc = "security.stackexchange.com"

class ProxyRequest(proxy.ProxyRequest):
    def process(self):

        res = urlparse(self.uri)
        netloc = res.netloc
        print self.uri

        if netloc == cc_netloc:
           netloc = fakeweb_netloc
        self.uri = urlunparse((res.scheme, netloc, res.path, res.params, res.query, res.fragment))

        proxy.ProxyRequest.process(self)

class MyProxy(http.HTTPChannel):
    requestFactory = ProxyRequest

class ProxyFactory(http.HTTPFactory):
    protocol = MyProxy

if __name__ == "__main__":
    factory = ProxyFactory()
    reactor.listenTCP(8080,factory)
    reactor.run()

Consider looking at Meddler:

Meddler is a HTTP(S) Generation tool based around a simple but powerful JScript.NET event-based scripting subsystem.

This is from the excellent Fiddler family of HTTP proxy tools.