Niels Provos

When I got home from traveling at around 3am last night, I found a box with 10 books on the table. Although, Virtual Honeypots covers primarily honeypots, it also features a small section on SpyBye that is part of a larger chapter on client honeypots. Other topics that we cover relating to this are on analyzing malware and tracking botnets. I am very pleased with the book in general and it will be interesting to see how it is going to do over the next few months.

The SpyBye source code is now available via http://code.google.com/p/spybye/. You can access it with subversion and more importantly, you can also send patches for feature improvements. In addition to that, the code hosting supports bug tracking and other nifty features. Enjoy!

SpyBye 0.3 adds an interesting twist to SpyBye. Previously, you would have to enter a URL into the form field and wait for the analysis to complete. SpyBye 0.3 adds a proxy mode in which you use SpyBye as a regular proxy for your web browsing. There is no need to enter any URLs into any form fields, instead SpyBye analyzes all downloads in the background and provides you with a warning notification whenever it encounters content that is potentially malicious. At that point, you can click on the link in the notification and receive a more detailed analysis of the web page.

The image on the left provides one such example. When you click on the link in the red warning box, you see a popup that shows all the implicit HTTP resources loaded into your browser and an analysis of the danger level. In fact, in proxy mode, you could just do all of your web browsing through SpyBye and be protected from bad content in return.

Let me know how you like it.

During HotBots last month, I presented a paper on a systematic approach for detecting malware on the web called "The Ghost In The Browser". The paper enumerates all the different ways in which a web page can become malicious and contains some measurements on the prevalance of drive-by-downloads; an in depth analysis of 4.5 million URLs detected 450,000 that were surreptitiously installing malware. All the more reason for tools such as SpyBye. Fortunately, I am not the only one working on such tools. Christian Seifert from the New Zealand Honeypot Alliance recently announced a web interface to their Capture honey client which runs a browser against URLs specified by you. In a similar vein, Shelia is a tool that scans your mail folder and follows URLs contained in it for malware and exploits.

To make the best use of SpyBye, it's important to understand how to interpret its output. Let's take a simple example of using SpyBye on http://www.honeyd.org/ - click on the image to the left to get a larger picture.

First of all we see, the main page link http://www.honeyd.org followed by HTTP/1.1 200 OK and clean. The HTTP status code tells us if the content was retrieved successfully and clean indicates that ClamAV found nothing unusual about the content. Below the main link, you see three other objects that were downloaded. SpyBye tries to organize all implict fetches in a tree so that it's easy to tell which URL was responsible for what content. The automatic downloads were the style file, the Honeyd logo and the javascript for keeping stats on site visitors. Each URL is linked and if you click on it, SpyBye shows you the HTML source code. This is sometimes useful for finding obfuscated javascript or to figure out how an exploit works. Below the URL display, you can find an iframe that shows the rendered URL.

Now, let's look at another example based on one of the reports recently submitted to SpyBye. In this case, we see that SpyBye lables the result as dangerous. That by itself is not so interesting. Let's look at the data in more detail: we see that as a result of visting the URL, four implicit HTTP fetches happen: two of them labeles as dangerous and two of them labeled as unknown.

The bottom two links are labeled as unknown. For SpyBye that means that the content comes from a third-party content provider that is unknown to SpyBye. However, the two domains are not a-priori known to be malicious and ClamAV does not find anything unusual with them either. The top two links are labeled as dangerous. One of them has been identified by ClamAV as an exploit. The other one has been labeled as dangerous because it comes from a domain known to host malicious content. You can click on the dangerous links to see their underlying source code - it's quite interesting.

Obviously, once a link from your web page has been labeled as dangerous, you know that something is likely to be wrong with your site. However, in most cases, you are just going to see a number of unknown links. As a web master, you need to look at the source of each unknown link and determine if you know why that content might be fetched from your site. If you cannot identify the reason for a particular fetch, it's likely that something is not quite right.

I hope everything is much clearer now. Let me know if you have any questions.

Another weekend, another release. Here are SpyBye 0.2 new features:

• Integration with ClamAV. In addition to applying SpyBye's heuristics for determining if a site is potentially malicious, everything now also gets scanned for malware/spyware by ClamAV.


• More consistent logging - all requests are logged to syslog now.


• Improved Javascript sanitization for those web pages that try to break out of frames.

Download SpyBye from http://www.monkey.org/~provos/spybye/.

Enjoy,
Niels.