< "Shelia: A Client-side Honeypot for Attack Detection" | RAID'07 deadline extension >

SpyBye - Finding Malware

Niels Provos has released version 0.2 of SpyBye, a tool for checking URLs while browsing. From the website: "It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous"

You can download SpyBye from http://www.monkey.org/~provos/spybye/. Moreover, you also need the latest version of libevent. With the help of the usual configure && make && sudo make install you can install the software. Afterwards you just start SpyBye and you should see an output similar to the following listing:
$ ./spybye
SpyBye 0.2 starting up ...
Report sharing enabled.
Making connection to www.monkey.org:80 for /~provos/good_patterns
Received 529 bytes from http://www.monkey.org/~provos/good_patterns
Added 30 good patterns
Making connection to www.monkey.org:80 for /~provos/bad_patterns
Received 2893 bytes from http://www.monkey.org/~provos/bad_patterns
Added 180 bad patterns
Reading previous state from spybye.log
... read 1 messages
Starting web server on port 8080
Configure your browser to use this server as proxy.

Spybye loads pattern files with known good and bad patterns and then starts a web server on TCP port 8080. You have to configure your browser to use 127.0.0.1 on port 8000 as proxy. Alternatively, you can also use configure your browser to use www.spybye.org:8080 as proxy - this has the advantage that you do not have to install additional software on your machine. SpyBye then checks the URLs you visit and reports every suspicious activities it finds. For example reports of malicious URLs, you can take a look at recent reports. Quite a useful tool, check it out!
This entry was posted by Thorsten Holz on Wednesday, March 7. 2007 at 13:25. and is filed under malware. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

    No comments


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
Submitted comments will be subject to moderation before being displayed.