Archive for July, 2009

Joanna Rutkowska of Blue Pill virtualization-based rootkit fame says, among many other interesting/controversial things, that she relies on NoScript for her e-shopping hygiene.
The full 9 pages (ouch!) interview is being commented on Slashdot right now.

In the past few hours I've received many reports from users of the popular free avast! antivirus, who were abruptly prevented from using FlashGot because its FlashGot.exe component was mistakenly detected as "Win32:Trojan-gen {Other}", a generic identifier usually associated to false positives.

FlashGot.exe is digitally signed by InformAction Soc. Coop. and unchanged since some months ago, so if you installed it from AMO or from the FlashGot web site, which both serve downloads through secure connections, you can be sure it's not a virus.

If you're in this situation, first of all please report the file as a false positive to the avast! guys, pressuring them to adjust their flawed virus database.
Then, while you're waiting for their updated definitions, you can add an exception in order to keep FlashGot working:

  1. Right click on the avast! tray icon
  2. Select Program Settings
  3. Select Exclusions and push the "Add" button
  4. Type the following path mask:
    %APPDATA%\Mozilla\Firefox\Profiles\*\FlashGot.exe
  5. Push "OK"

Happy downloads!

Update 21:48 UTC

They fixed it, just update your avast! virus definitions.

Many people use their hosts file for resources blocking purposes, especially against ads or known malicious sites.

Since your hosts file takes precedence over your DNS in domain name resolution, you can redirect undesired domain to invalid IP addresses, saving both bandwidth and CPU because resolved IPs are cached.

Unluckily, most information sources about this useful technique, including the Wikipedia article above, instruct the reader to use 127.0.0.1 (the local loopback IP) as the dead-end destination, rather than a truly invalid address such as 255.255.255.0. This is not very smart, especially if you installed a web server on the loopback interface (like many web developers do), because you're spamming it with dummy requests whenever you browse an ad-laden web site.

Furthermore, I'm currently receiving several reports about ABE warnings popping up everywhere. If you read my post about ABE yesterday, you know that it ships with a built in "SYSTEM" ruleset containing just one rule which alone implements the whole LocalRodeo functionality:

# Prevent Internet sites from requesting LAN resources. Site LOCAL Accept from LOCAL Deny

Such a rule blocks any HTTP request for resources placed in your local network, including localhost (127.0.0.1) and any other LAN IP, unless it is originated from your local network as well. This protects your internal servers and devices (e.g. routers and firewalls exposing web interfaces) against CSRF and XSS attacks performed from the internet.

As a side effect, though, if you're redirecting arbitrary hosts to 127.0.0.1, you'll get bombed by a storm of ABE warnings whenever those sites are linked from external web sites. The solution is simple: just open your host file and replace

127.0.0.1

with

255.255.255.0

everywhere it's used to block something, but being careful to keep

127.0.0.1

on the

localhost

entry and other really local domains, if any.

Update:

NoScript 1.9.5.5 beta automatically suppresses notifications for the commonest case covered here (HTTP requests for a domain name resolving to 127.0.0.1 on the default port), and also introduces an option to disable all ABE notifications.

Bad Behavior has blocked 1104 access attempts in the last 7 days.