SpyBye - Finding Malware

Wednesday, March 7. 2007
Niels Provos has released version 0.2 of SpyBye, a tool for checking URLs while browsing. From the website: "It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous"

You can download SpyBye from http://www.monkey.org/~provos/spybye/. Moreover, you also need the latest version of libevent. With the help of the usual configure && make && sudo make install you can install the software. Afterwards you just start SpyBye and you should see an output similar to the following listing:
$ ./spybye
SpyBye 0.2 starting up ...
Report sharing enabled.
Making connection to www.monkey.org:80 for /~provos/good_patterns
Received 529 bytes from http://www.monkey.org/~provos/good_patterns
Added 30 good patterns
Making connection to www.monkey.org:80 for /~provos/bad_patterns
Received 2893 bytes from http://www.monkey.org/~provos/bad_patterns
Added 180 bad patterns
Reading previous state from spybye.log
... read 1 messages
Starting web server on port 8080
Configure your browser to use this server as proxy.

Spybye loads pattern files with known good and bad patterns and then starts a web server on TCP port 8080. You have to configure your browser to use 127.0.0.1 on port 8000 as proxy. Alternatively, you can also use configure your browser to use www.spybye.org:8080 as proxy - this has the advantage that you do not have to install additional software on your machine. SpyBye then checks the URLs you visit and reports every suspicious activities it finds. For example reports of malicious URLs, you can take a look at recent reports. Quite a useful tool, check it out!
Posted by Thorsten Holz in malware at 13:25 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 1 entries)