Last Updated: 2007-03-04 18:44:28 UTC
by Maarten Van Horenbeeck (Version: 1)
The Internet Storm Center often reports on the use of defaced websites in malware distribution. High profile examples such as the recent Dolphin Stadium web site compromise show that web masters have every reason to be very interested in exactly what they are serving up to an ever more mobile and global audience.
Niels Provos recently released a tool, SpyBye, that allows a webmaster to perform exactly such an audit. SpyBye, of which version 0.2 was released yesterday, is a proxy server that analyzes a requested url, submits any links it finds through a rule based engine (including a list of known malicious sites) and then categorizes these in three categories: harmless, unknown or dangerous. A webmaster can install it on his local machine and then access his website to get detail on what exactly is taking place during the connection - that same webmaster, having knowledge of the expected content, will also be able to easily identify content that is suspicious, but could otherwise have been unreadable when obfuscated through some form of URI-encoding.
This new version integrates with clamav to automatically scan downloaded files, and allows you to log all requests to syslog. Provos also provides a realtime version of the proxy so you can give it a try on-line. Note that it's still best to run any assessments of potentially dangerous content from a virtual machine, as the tool will continue to feed the results of requests classified as 'harmless' or 'unknown' to your browser.