The open source Fireshark tool, released under a GPL V3 license, analyzes executable code as it runs in the Firefox browser, and identifies websites that redirect the browser to other destinations. It then creates a map of those redirections, which can provide clues to the sources of attacks.
Although the plug-in won't stop a machine from being infected by a malicious website – it would have to be run in a virtual machine to be safe – it can nevertheless be used as an investigation tool to create a network of linked websites delivering malware.
The tool could be particularly useful for tracing the origins of attacks delivered using online advertising networks. Several incidents have occurred in which advertising banners on websites have been used to serve up malicious content, effectively turning the legitimate sites into conduits for drive-by download attacks.
Because advertising syndication networks serve up content from a variety of different third parties through these advertising banners, if someone is able to introduce optimized content into the syndication network, they can infect large numbers of sites in short order. These infections often point back to malicious servers hosting malware. A tool such as this would help researchers to understand how such sites were linked.
Fireshark collects the data in a file that can then be analyzed by other security tools. All of the data is held locally, and Chenette has made several scripting tools available to help interested parties process the results.