Thanks to Adli who has told me about SpyBye(malwares hunter proxy) which is developed by Niels Provos(Honeyd Guy) where you can find here -
http://www.spybye.org/
Getting it installed is pretty straightforward, I just run it for the first time(I always run the command line with -h, habit sometimes kills :P) -
http://www.spybye.org/
Getting it installed is pretty straightforward, I just run it for the first time(I always run the command line with -h, habit sometimes kills :P) -
shell>./spybye -h
./spybye: invalid option -- h
./spybye: [-P] [-p port] [-g good] [-b bad]
-P disable private IP check; allows the proxy to fetch 127/8
-g good_patterns a file or url containing the good patterns
-b bad_patterns a file or url containing the danger patterns
for documentation of all options consult the man page
Starting it up -
shell>/usr/local/stow/spybye-0.2/bin $ ./spybye
SpyBye 0.2 starting up ...
LibClamAV Warning: **************************************************
LibClamAV Warning: *** The virus database is older than 7 days. ***
LibClamAV Warning: *** Please update it IMMEDIATELY! ***
LibClamAV Warning: **************************************************
Loaded 108322 signatures
Virus scanning enabled
Report sharing enabled.
Making connection to www.monkey.org:80 for /~provos/good_patterns
Received 529 bytes from http://www.monkey.org/~provos/good_patterns
Added 30 good patterns
Making connection to www.monkey.org:80 for /~provos/bad_patterns
Received 3332 bytes from http://www.monkey.org/~provos/bad_patterns
Added 205 bad patterns
Starting web server on port 8080
Configure your browser to use this server as proxy.
I configure my browser manually to point to the local proxy, you can do it easily with switchproxy on Firefox and start browsing milw0rm site -Making connection to 213.150.45.196:80
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 37418 bytes for http://www.milw0rm.com (unknown)
Virus scanned 37418 bytes; result: clean
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://www.milw0rm.com/milw0rm.css (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://spybye.org/styles/css
Caching 2348 bytes for http://www.milw0rm.com/milw0rm.css (harmless)
Virus scanned 2348 bytes; result: clean
Received request for http://www.milw0rm.com/images/dot.gif (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://www.milw0rm.com/images/milw0rm-wi.jpg (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 213.150.45.196:80
Received request for http://ypn-js.overture.com/partner/js/ypn.js (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 804 bytes for http://www.milw0rm.com/images/dot.gif (harmless)
Virus scanned 804 bytes; result: clean
Caching 7038 bytes for http://ypn-js.overture.com/partner/js/ypn.js (unknown)
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Virus scanned 7038 bytes; result: clean
Received request for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (http://www.milw0rm.com/) from 127.0.0.1
Making connection to 72.30.33.29:80
Caching 2713 bytes for http://ypn-js.overture.com/d/search/p/ypn/jsads/?Partner=9308575640&adwd=468&adht=60&ctxtUrl=http%3A//spybye.org/%3Furl%3Dwww.milw0rm.com&bg=000000&bc=000000&cc=141414&lc=00c000&tc=FFFFFF&uc=00c000&du=1&cb=1177662499468 (unknown)
Virus scanned 2713 bytes; result: clean
Expiring dns entry for ypn-js.overture.com
Received request for http://spybye.org/results/?url=http://www.milw0rm.com
Received request for http://spybye.org/styles/css
Caching 44225 bytes for http://www.milw0rm.com/images/milw0rm-wi.jpg (harmless)
Virus scanned 44225 bytes; result: clean
Interesting as it is reported as clean but relying on clamAV is actually not a perfect solution but it is the only Open Source Antivirus Software available, I have many malwares that collected from my nepenthes honeypot and seems not be able to recognized as malwares though. Anyway spybye is pretty interesting piece and you should use it if you suspect that your site contains malwares. It can be used as quick examination tools.
If you are interested to know what Niels has done including his contributions, check out -
http://www.citi.umich.edu/u/provos/
Enjoy ;]
If you are interested to know what Niels has done including his contributions, check out -
http://www.citi.umich.edu/u/provos/
Enjoy ;]
No comments:
Post a Comment