SpyBye - Finding Malware
SpyBye requires the latest version of libevent

What is SpyBye?

SpyBye is a tool to help web masters determine if their web pages are hosting browser exploits that can infect visiting users with malware. It functions as an HTTP proxy server and intercepts all browser requests. SpyBye uses a few simple rules to determine if embedded links on your web page are harmlesss, unknown or maybe even dangerous.

Why did you write SpyBye?

It has become increasingly common for web sites to get compromised. This can happen either due to vulnerable web applications that you run or due to compromised servers via vectors completely out of your control. Nonetheless, it is important for web masters to be able to tell if their pages are dangerous to their users. SpyBye provides a very simple mechanism to determine how a site works on the HTTP level. This often gives us clues about potentially dangerous content. I hope that SpyBye can be of use to anyone who wants to verify if their web site could be compromised and dangerous.

The unoffical explanation is that I needed some code to test libevent's HTTP layer; writing a proxy exercises most of the code paths.

How does SpyBye work?

SpyBye operates as a proxy server and gets to see all the web fetches that your browser makes. It applies very simple rules to each URL that is fetched as a result of loading a web page. These rules allows us to classify a URL into three categories: harmless, unknown or dangerous. Although, there is great margin of error, the categories allow a web master to look at the URLs and determine if they should be there or not. If you see that a URL is being fetched that you would not expect, it's a good indication you have been copromised.


SpyBye does not protect you from getting exploited yourself. It tries to take reasonable precautions to avoid infection while using it. However, ideally, you would run your browser in a virtual machine and revert to a clean snapshot when done. You have been warned. Today's malware is capable of rendering your computer unusable - and empty your bank accounts! This software is my own work as an individual and not associated with or endorsed by Google or the StopBadware project. This software is provided by the author ``as is'' and any express or implied warranties, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall the author be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

 Happpy Hacking 
 Keep me happy while
 hacking on SpyBye. 
 Reduce my wishlist! 


Visit www.spybye.org for documentation on installation and everything else.


SpyBye 0.1 has been released under a 4-clause BSD license. SpyBye 0.2 and above have been released under the GPL.


Many thanks to Dean McNamee and Panayiotis Mavrommatis for helping with the patterns.


Niels Provos
Last modified: Mon Feb 19 19:06:05 PST 2007
  You can keep me happy while hacking by reducing my Wishlists.