Windows optimize

Installing and using Fireshark

Use Fireshark to get under the hood of infected Web sites and analyze what they do to unprotected computers.

Have you ever wanted to point your browser at a known or suspected malware infected site to capture and analyze how it works?  And do this without paying for or writing a solution?  A new open source Firefox extension, now makes this possible.

What is Fireshark?

Fireshark consists of a Firefox extension and a set of scripts.  The scripts, written in Perl, help analyze Fireshark's output files.

Running the extension creates a set of files containing everything you want to know about a target page.  The files include:

  • HTML source
  • Images
  • Scripts that ran when a page opened
  • Analysis of what a page did on your test box
Getting started

Installing Fireshark is easy, once you work through a couple of snags.  The only issue I have with this product is the lack of documentation.  Documentation was promised in April, but it still hasn't appeared.  So my installation issues required a Google search and some forum surfing.

I started by creating a test environment. Because I wanted Fireshark to see all the bad stuff and experience all the pain inflicted by the target sites, I used Oracle's VirtualBox to create an Unbuntu Linux virtual machine (VM). The VM was clear of any anti-malware software.  I also reconfigured my OpenDNS settings so DNS filtering wouldn't prevent access to the target sites.

For the record, Fireshark also runs in Windows.  I also tested it using Windows 7 running in a VMware VM.

Installing the Fireshark extension was easy.  I opened Firefox, navigated to Fireshark.org, and clicked the download link.  A reset of Firefox was required.

I was almost ready.  The final step was providing Fireshark with a list of target sites.  I created a list of potentially malicious sites, shown in Figure 1, in a text file (data.txt). On my Linux VM, I placed the file in my user home directory, /home/tolzak.   (In Windows 7, I had to place the file in \users\Tom Olzak.)  I used the same list of files for both the Linux and the Windows tests.  If you don't place the data.txt files in your user home directory, Fileshark can't find them.

Figure 1: Data.txt from Windows 7 Test

Click to enlarge.

Running Fireshark

I was now ready.  I ran Fireshark by loading Firefox and clicking Go! in the Tools menu (see Figure 2).  All I had to do then was sit and watch Firefox open each site listed in data.txt. One caveat... if you want to look at all the the pages at a site, you may have to enter all the page URLs.  I couldn't find any way to have Fireshark drill down into a target site.

Figure 2: Launching Fireshark

Once the list of target files was exhausted, a long list of output files waited for me in my home directory.  See Figure 3.  The files with names beginning with "dom" contain the HTML for each target page.  Those beginning with "src" contain scripts that tried to or did run when the page was opened.  The file "reportlog.yml" is an interface file.  The intent is to provide this to developers to use in other analysis applications.  The "img" files contain images of the target sites.

Figure 3: Fireshark Output in Linux

Finally, "reportlog.txt" tracks activities during page access. Figure 4 shows a sample of its content. Figure 5 shows reportlog.yml content. To analyze the output log, Fireshark.org provides three Perl scripts. The scripts are downloaded separately from the extension, and they require YAML.

Figure 4: Reportlog.txt Content

Click to enlarge.

Figure 5: Reportlog.yml Content

Click to enlarge.
The final word

This seems like a great product for anyone who wants to analyze a specific page or to populate a honeypot from a set of known malicious sites. Fireshark is not intended for anyone who just wants to "play around" with a cool analysis tool in his or her primary system. You know, the clean one meant for sensitive everyday tasks.

Before using Fireshark, be sure to turn off all protection for your test platform or VM, including all security features in Firefox. Several times during the initial test run, Firefox blocked pop-ups and other activities it saw as unsafe. This defeats the purpose of running this utility.

Finally, I wish the product gave me a little more control over where I can place the output files.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

8 comments
john barker
john barker

great if you can findout how to just install it with out all that work i not a big fan vmware and i am lazy they are few clean sites in the pron and free site i stay a way i dont know why people does it virus and malware

pspomer
pspomer

I?ve used XenoCrawler (another free solution) to point at malware infected sites and malicious code to capture and analyze how it works.

abiemann
abiemann

I get quite a few emails from Chinese spammers who try to infect users with keyloggers for the purpose of stealing passwords such as email, gaming, and banking. Here's the ones I got since the 5th of May. It should be interesting to see what exploits the Chinese get up to : EDIT: I broke the links so that someone doesn't accidentally click them. Just remove the space between "ht" and "tp" ;-) ht tp://us.bauttle.net/login/login.html?app=wam&ref=https://www.worldofwarcraft.com/account/ ht tp://us.bciite.net/login/login.htm?ref=https://www.worldofwarcraft.com/account/&app=wam&rhtml=true ht tp://www.wow-blizzard-account-management.com/login/login.asp?ref=https://www.worldofwarcraft.com/account/&app=wam Be sure to only use these URLs for the purpose of investigation.

Haas
Haas

Great find Tom, I have been using Sandboxie and it has been great to analyze infected sites and when using infected downloads as well. This is what they have as a statement about Sandboxie on their site: "Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. " This extension will be useful when I am not at my Sandboxie machine. Hope this helps someone who is looking for an alternative. Thank you for sharing.

JCitizen
JCitizen

I may be using this some day soon! Right now, I just run a honey pot to make sure my defenses work. Lately I seem to be getting embroiled more and more in fighting web crime; so I may need to change my lab. This looks like one of the top tools I may need in my kit!

bboyd
bboyd

have you seen any other similar extensions you have tried

abiemann
abiemann

this is another phishing email I received today (I already forwarded it to APWG), but feel free to study the exploit. (I broke the URL again so that you don't accidentally click it. Just remove the space) ht tp://www.worldofwarcraft-security-billing.com/account/index.html and another: ht tp://blizzard123.idc177.com/

bboyd
bboyd

Could induce some pain with a stray click.