What is SpyBye?
SpyBye is a tool to help
web masters determine if their web pages are hosting browser exploits
that can infect visiting users with malware. It functions as an HTTP
proxy server and intercepts all browser requests. SpyBye uses a few
simple rules to determine if embedded links on your web page are
harmlesss, unknown or maybe even dangerous.
Why did you write
SpyBye?
It has become increasingly common for web sites to get
compromised. This can happen either due to vulnerable web
applications that you run or due to compromised servers via vectors
completely out of your control. Nonetheless, it is important for web
masters to be able to tell if their pages are dangerous to their
users. SpyBye provides a very simple mechanism to determine how a
site works on the HTTP level. This often gives us clues about
potentially dangerous content. I hope that SpyBye can be of use to
anyone who wants to verify if their web site could be compromised and
dangerous.
The unoffical explanation is that I needed some code
to test libevent's
HTTP layer; writing a proxy exercises most of the code
paths.
How does SpyBye work?
SpyBye operates as a proxy
server and gets to see all the web fetches that your browser makes.
It applies very simple rules to each URL that is fetched as a result
of loading a web page. These rules allows us to classify a URL into
three categories: harmless, unknown or dangerous. Although, there is
great margin of error, the categories allow a web master to look at
the URLs and determine if they should be there or not. If you see that
a URL is being fetched that you would not expect, it's a good
indication you have been copromised.
Disclaimer
SpyBye
does not protect you from getting exploited yourself. It tries to take
reasonable precautions to avoid infection while using it. However,
ideally, you would run your browser in a virtual machine and revert to
a clean snapshot when done. You have been warned. Today's malware is
capable of rendering your computer unusable - and empty your bank
accounts! This software is my own work as
an individual and not associated with or endorsed by Google or the
StopBadware project. This software is provided by
the author ``as is'' and any express or implied warranties, including,
but not limited to, the implied warranties of merchantability and
fitness for a particular purpose are disclaimed. In no event shall the
author be liable for any direct, indirect, incidental, special,
exemplary, or consequential damages (including, but not limited to,
procurement of substitute goods or services; loss of use, data, or
profits; or business interruption) however caused and on any theory of
liability, whether in contract, strict liability, or tort (including
negligence or otherwise) arising in any way out of the use of this
software, even if advised of the possibility of such
damage.