Minesweeper scans websites to detect drive-by malware.
Install
Test
How it works
Questions
This guide is for Ubuntu Server 14.04 LTS "Trusty Tahr", non-root user with sudo privilege.
Add a user to run minesweeper
sudo adduser --system minesweeper
Install phantomjs
sudo apt-get install phantomjs
Grab a Google API key, you'll need it soon
https://developers.google.com/safe-browsing/lookup_guide#GettingStarted
Download
wget https://github.com/Shopify/minesweeper/releases/download/0.3.1/minesweeper-0.3.1-linux-amd64.tar.gz
Extract and cd
tar xzf minesweeper-0.3.1-linux-amd64.tar.gz
cd minesweeper-0.3.1-linux-amd64
Install binary
sudo cp minesweeper /usr/local/bin/
Add Google API key to upstart script
vim minesweeper.conf
> env MINESWEEPER_GOOGLE_API_KEY=your_google_api_key
Install upstart script
sudo cp minesweeper.conf /etc/init/
Start minesweeper
sudo service minesweeper start
Minesweeper should now be listening on 127.0.0.1:6463
, logging to /var/log/minesweeper.log
.
Install nginx as a reverse proxy so that we don't have to run minesweeper as root
sudo apt-get install nginx
Configure nginx to proxy requests to minesweeper
sudo vim /etc/nginx/sites-enabled/default
> server_name your_ip_or_hostname
>
> location / {
> proxy_set_header X-Real-IP $remote_addr;
> proxy_set_header X-Forwarded-For $remote_addr;
> proxy_set_header Host $host;
> proxy_pass http://127.0.0.1:6463;
> }
Restart nginx
sudo service nginx restart
$ curl http://localhost/scan?url=ianfette.org
{
"Verdict": "suspicious",
"Report": {
"Id": "",
"Url": "http://ianfette.org",
"Verdict": "suspicious",
"CreatedAt": "Tue Dec 23 19:16:27 UTC 2014",
"Resources": [
{
"Method": "GET",
"Url": "http://ianfette.org/",
"Status": 200,
"ContentType": "text/html",
"ContentLength": 43
}
],
"Changes": null,
"Hits": [
{
"BlacklistName": "google",
"Url": "http://ianfette.org/",
"Domain": "ianfette.org",
"Type": "malware",
"Ref": "https://developers.google.com/safe-browsing/developers_guide_v3"
}
]
}
}
Minesweeper will scan a URL, perform a security analysis and say it's suspicious
or ok
.
A suspicious
verdict means that a module has produced a positive (blacklist) hit
.
Currently, there are 2 modules: malwaredomains
, google
.
Minesweeper scans websites using PhantomJS
- It records:
- HTTP requests for resources such as Javascript and CSS files
- URL, Method, Status, Content-Type
- Javascript calls to
document.write()
- The HTML to be written is recorded
- A stack trace is captured to attribute this back to an exact line in the source!
- Javascript DOMSubtreeModified Mutation Events where the target is either
HTMLScriptElement
orHTMLIFrameElement
- The outer HTML of the modification is recorded
- HTTP requests for resources such as Javascript and CSS files
It also checks all URLs browsed against domain blacklists
- Currently, there are 2 blacklists:
google
- Google Safe Browsing Lookup APImalwaredomains
- malwaredomains.com
It produces a JSON report
- If there are Blacklist hits, the website is deemed
suspicious
, otherwise it'sok
.
Don't suffer, just ask! falsenegative