Have you ever wanted to point your browser at a known or suspected malware infected site to capture and analyze how it works?  And do this without paying for or writing a solution?  A new open source Firefox extension, now makes this possible.

What is Fireshark?

Fireshark consists of a Firefox extension and a set of scripts.  The scripts, written in Perl, help analyze Fireshark’s output files.

Running the extension creates a set of files containing everything you want to know about a target page.  The files include:

  • HTML source
  • Images
  • Scripts that ran when a page opened
  • Analysis of what a page did on your test box

Getting started

Installing Fireshark is easy, once you work through a couple of snags.  The only issue I have with this product is the lack of documentation.  Documentation was promised in April, but it still hasn’t appeared.  So my installation issues required a Google search and some forum surfing.

I started by creating a test environment. Because I wanted Fireshark to see all the bad stuff and experience all the pain inflicted by the target sites, I used Oracle’s VirtualBox to create an Unbuntu Linux virtual machine (VM). The VM was clear of any anti-malware software.  I also reconfigured my OpenDNS settings so DNS filtering wouldn’t prevent access to the target sites.

For the record, Fireshark also runs in Windows.  I also tested it using Windows 7 running in a VMware VM.

Installing the Fireshark extension was easy.  I opened Firefox, navigated to Fireshark.org, and clicked the download link.  A reset of Firefox was required.

I was almost ready.  The final step was providing Fireshark with a list of target sites.  I created a list of potentially malicious sites, shown in Figure 1, in a text file (data.txt). On my Linux VM, I placed the file in my user home directory, /home/tolzak.   (In Windows 7, I had to place the file in \users\Tom Olzak.)  I used the same list of files for both the Linux and the Windows tests.  If you don’t place the data.txt files in your user home directory, Fileshark can’t find them.

Click to enlarge.

Running Fireshark

I was now ready.  I ran Fireshark by loading Firefox and clicking Go! in the Tools menu (see Figure 2).  All I had to do then was sit and watch Firefox open each site listed in data.txt. One caveat… if you want to look at all the the pages at a site, you may have to enter all the page URLs.  I couldn’t find any way to have Fireshark drill down into a target site.

Once the list of target files was exhausted, a long list of output files waited for me in my home directory.  See Figure 3.  The files with names beginning with “dom” contain the HTML for each target page.  Those beginning with “src” contain scripts that tried to or did run when the page was opened.  The file “reportlog.yml” is an interface file.  The intent is to provide this to developers to use in other analysis applications.  The “img” files contain images of the target sites.

Finally, “reportlog.txt” tracks activities during page access. Figure 4 shows a sample of its content. Figure 5 shows reportlog.yml content. To analyze the output log, Fireshark.org provides three Perl scripts. The scripts are downloaded separately from the extension, and they require YAML.

Click to enlarge.
Click to enlarge.

The final word

This seems like a great product for anyone who wants to analyze a specific page or to populate a honeypot from a set of known malicious sites. Fireshark is not intended for anyone who just wants to “play around” with a cool analysis tool in his or her primary system. You know, the clean one meant for sensitive everyday tasks.

Before using Fireshark, be sure to turn off all protection for your test platform or VM, including all security features in Firefox. Several times during the initial test run, Firefox blocked pop-ups and other activities it saw as unsafe. This defeats the purpose of running this utility.

Finally, I wish the product gave me a little more control over where I can place the output files.