Remote control: FireShark discovered that some content on the site howtofindmyIP.com comes from dubious sites hosted in the Ukraine.
The researchers at Websense plan to release a plug-in for the Firefox browser that will reveal the content hubs that a site is linked to.
“The interesting thing about all of this is when attackers are using, say, DoubleClick as the vector of attack,” says Tom Pinckney, cofounder of the Web security firm SiteAdvisor, which was bought by McAfee in 2006, and now vice president of engineering for the recommendation site Hunch. “For many attacks, someone buys the content on the ad network, but the guy who is actually supplying the content on the page–God knows who that is.”
SiteAdvisor offers a plug-in that provides a service that’s similar to what FireShark offers. McAfee used a data center full of virtual PCs to troll the Web for malicious sites, evaluating links and submitting unique e-mail addresses that are then monitored for spam.
Maxim Weinstein, executive director of StopBadware, a nonprofit organization that helps create lists of malicious websites, says FireShark could be an interesting tool for researchers. The caveat, he says, is that anomalous behavior is not always malicious. “The patterns that look bad are often good things–just anomalous,” he says.
Tracking the way sites are connected over time could also help identify malicious changes to sites, Chenette says. He adds that the FireShark browser plug-in may eventually let users feed information about the sites they visit back to Websense.