Skip to content

Running your own instance of SpyBye

The simplest way to get exposure to SpyBye is to configure your browser to use as proxy. However, this is likely to be slow as your are sharing the proxy with other users and are constrained by the limited bandwidth in my closet. You can now download the SpyBye software yourself from and run it on your own servers.

For detailed installation instructions, please consult the following article. Hopefully, there is enough information there, to get you up and running in a matter of minutes.

Happy Hunting.

Categories: SpyBye

SpyBye launches

SpyBye is a tool to help web masters determine if their web pages are hosting browser exploits that can infect visiting users with malware. It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous.

To try SpyBye, configure your browser to use as proxy server and then go visit

How does SpyBye work? SpyBye operates as a proxy server and gets to see all the web fetches that your browser makes. It applies very simple rules to each URL that is fetched as a result of loading a web page. These rules allows us to classify a URL into three categories: harmless, unknown or dangerous. Although, there is great margin of error, the categories allow a web master to look at the URLs and determine if they should be there or not. If you see that a URL is being fetched that you would not expect, it's a good indication you have been copromised.

Why did you write SpyBye? It has become increasingly common for web sites to get compromised. This can happen either due to vulnerable web applications that you run or due to compromised servers via vectors completely out of your control. Nonetheless, it is important for web masters to be able to tell if their pages are dangerous to their users. SpyBye provides a very simple mechanism to determine how a site works on the HTTP level. This often gives us clues about potentially dangerous content. I hope that SpyBye can be of use to anyone who wants to verify if their web site could be compromised and dangerous. The unoffical explanation is that I needed some code to test libevent's HTTP layer; writing a proxy exercises most of the code paths.

In a couple of days, SpyBye is going to be released as Open Source package, so that you can run your own proxy and check your pages.

Disclaimer SpyBye does not protect you from getting exploited yourself. It tries to take reasonable precautions to avoid infection while using it. However, ideally, you would run your browser in a virtual machine and revert to a clean snapshot when done. You have been warned. Today's malware is capable of rendering your computer unusable - and empty your bank accounts!
Categories: SpyBye

Local Privilege Escalation

Chris Evans from Google Security discovered an integer overflow in the Systrace kernel code. If an adversary can open "/dev/systrace", the bug can be leveraged to gain root access. Both OpenBSD and NetBSD current have been patched. Please, update your systems.
Categories: Systrace

Breaker!! 17 years ago...

I was going to do some late night hacking but then I found this. My first game. I wrote this in 1989 for the Amiga. I feared that this great work(!) might have been forever lost but I just found a copy of it on some warez server. The games comes with a level editor. I was esp. proud of the level editor because I used run-length encoding to compress the levels. The editor supported up to 1,000.
Categories: Hacking
Defined tags for this entry: , ,

Hacking Too Much

Been travelling and working too much on other stuff lately to make much progress with Systrace. The ptrace version works reliably enough on Linux without the kernel patch. Although, it sometimes still leaves zombie processes behind which is kind of annoying. Performance without kernel patch takes a 100% hit, too. Marius has promised to revamp the kernel patches and make them more Linux friendly. Maybe, we will be able to get them into mainline Linux then. Stay tuned.
Categories: Hacking

Systrace 1.6d

This new release of Systrace adds translations for a number of new system calls and should also take care of zombies accumulating for users of the Linux ptrace backend. Systrace now allows waitpid to execute in more cases which should hopefully reap the reparented children. Download it here. A debian package is available, too.
Categories: Systrace