Who installed Fireshark plug-in for Fx or flock?

Hi malware fighters,

A brand new Firefox plug in to detect malcious and hacked websites is Fireshark. Introduction here:
http://fireshark.org/
Re: http://www.computerworlduk.com/technology/security-products/prevention/news/index.cfm?RSS&newsid=19855
Introduction by the developer Stephan Chenette: http://www.blackhat.com/html/bh-eu-10/bh-eu-10-briefings.html#Chenette
Seems a good additional plug-in next to NS, RP and the avast shields to know where you should not navigate, Fireshark runs in a Virtual Environment to prevent infection,

polonus

Once again, thanks for posting, polonus…!! :slight_smile:
Another article on that:
http://www.pcworld.com/businesscenter/article/194314/fireshark_plugin_decodes_the_malicious_web.html
Haven’t tried it yet, maybe next week - but sounds promising.
asyn

interesting thanks :wink:

threat has been detected ;D

:smiley: same here ;D

Hi Logos,

Cheked your link at novirusthanks.org, only avast flags this with GData, same engine.
Here it is seen as benign: http://wepawet.iseclab.org/view.php?hash=26ae43dc19eef09dc3a1a75278d3e7a0&t=1271420469&type=js
Well this could be the obfuscation flagged, wait until the plug-in is added to the official Mozilla add-on site, I guess then avast won’t any longer flag it. Re;
http://www.threatexpert.com/report.aspx?md5=418277ea6771c886e0bb8a3d9cd591c2

Just wait and see. I am on a machine without avast at the mo, because my XP at home is being checked for hardware problems.
So I did not had it flagged actually here. Unmasked parasites give it clean, with two hidden links:
hidden blog comments powered by Disqus - htx://disqus.com
hidden comments powered by Disqus. - htx://disqus.com/?ref_noscript=fireshark
disgus.com had suspicious content on 2010-03-08 and infected 2 domains, e.g. 1000dollars.com/, gscaderry.com/. So the developer should start with the links at his own website,

polonus

thanks for checking :wink:

Are you saying that Fireshark runs by itself in Virtual Environment?

From the article, “… Fireshark must be run in a virtual machine in order to prevent an infection. …”

Hence by the way I read the article, in order to use Fireshark to prevent an infection, need to be using a virtual system setup, or even just running Fx in a sandbox?

that’s also what I understood… I can’t see how an extension could generate by itself a virtual environment when the OS and/or the browser are run normally. I’m not even sure that Fireshark is meant at all to protect from malicious stuff: it sounds more like it’s a tool to analyse web sites content and detect malicious stuff, hence the need to run the whole in a virtual environment.

Hello sir pol,

Read about fireshark on twitter last day… Well, avast! did detect it as a threat. I guess its a FP. lets wait and see what happens. Someone should have already reported.

Thanks
nmb

Hi nmb,

These tools can be found online like mentioned in this listing: http://isc.sans.org/diary.html?storyid=6679
When you use the tools like malzilla or jsunpack mind you run them in a virtualized environment, with just mere restricted user rights, with protection from NoScript, RequestPolicy extensions etc. WepaWet, unmasked parasites, novirusthanks.org and Norton Safe Web can be visited just online to check URL’s. The other analyzing tools are meant for users that know what they are doing, because if the malware spills over you may have a problem. Mind that sandboxed environments are no complete safequard, Fireshark just come in this range of tools and the findings can be analyzed for instance in Malzilla for instance. I use unmasked parasites for a quick and dity and some iFrame analyzing scanner as a second pre-check. Mind that the tools come with overlapping results, no one scanner finds all malicious code added, and Norton Safe Web only reports for sites checked.
Small initial parts of the malcode found (rendered harmless) could be googled to find a general pattern or the line of malware it belongs to or gives an indication with a description of the exploit used about the general infection vector, so we get a better insight in the various ways a gigantic amount of normal reputed trusted sites are being abused by malcreants. Try this interesting site:
http://www.greymagic.com/security/tools/decoder/

polonus

Hello sir pol,

Well, yes. I do use malzilla. I was using it in virtual machine till now… Now i am having some problems working with vmware in windows 7. hopefully back… up soon… Generally unmaskparasites misses out…Nothing gets past malzilla. because we can see all the source there. I have been using it for almost 1 year… very good tool.

and btw, thanks for greymagic…

nmb

Hi nmb,

The strength of your detection is combining info from various scanners. As you stated here not one scanner gets it all, detection of all existing malicious or suspicious sites. So combine the data of various scanning methods - unmasked parasites, and sitetruth, up to date online block lists, firekeeper rules, iFrame analyzers and online frame checking sites, de-obfuscation sites and search tools and in such a way you will have a growing hunch as at where and what to look for in these respects,

polonus