BlackHatEU : Fireshark – A tool to Link the Malicious Web
By Stephan Chenette (schenette@websense.com)
This talk is accompanied with the release of Fireshark, a Firefox plugin. It can be downloaded here: fireshark.org
Compromised legitimate websites have increased 225% in the last 12 months.
Stephan wrote the Fireshark too to address the problem of analyzing malware serving legitimate site. He found that to date there was no tools that are available today gave him the information that he needed.
Most malware landing pages use exploit kits that will try to use about 25 exploits. These kids are highly obfuscated. Most analysis tools are well known by the bad guys and are thus protected against de-obfuscation.
What is Fireshark?
Fireshark is a Firefox plugin and a number of post processing scripts designed to crawl compromised sites. By operating inside the browser it can evade quite a bit of de obfuscation techniques.
First Stephan demoed Fireshark in single user mode. Add a list of url’s in data.txt and hit the go button. Fireshark will be visiting these site and store all the information it gathers in your home directory.
The data generated by Fireshark is then available for inspection, parsing and presentation. Currently there are two post processing scripts, but Stephan is open to suggestions abut other post processing scripts.
Stephan’s analysis of his Fireshark data confirms that affiliate advertising is a great source to inject malicious code, because a single injection into one of these sites effects users of multiple highly popular sites.
To illustrate the power of Fireshark, Stephan explained that he used Fireshark to analyze a number of interconnect websites serving malicious content to legitimate website users. He demonstrated that Fireshark is really useful in the analysis of these incidents.
Because Fireshark saves both the original source code and the DOM and gets then straight from Firefox you can run a diff against the two and see what the obfuscated code changes to the DOM.
Most obfuscation techniques can be de-obfuscated by Fireshark because Fireshark will save the de-obfuscated code as it is passed to the java script engine.
Fireshark can be configured to change parts of the browser signature such as user-agent strings.