It's a shampoo world anyway
 
Montag, 19. Februar 2007

Maddin, Montag, 19. Februar 2007, 12:28
LocalRodeo - Client-side protection against JavaScript Malware
After contributing to show how to break things, it is about time to start fixing things: Justus Winter and I are happy to present the first (beta) version of LocalRodeo, a Firefox extension that aims to protect against attacks which lately have been summarized under the term JavaScript Malware.

LocalRodeo specifically counters two attack vectors:

  • Intranet Exploration (i.e. JavaScript portscanning and fingerprinting): The extension classifies all network locations to be either local or external, with local locations being part of the intranet. All http requests that have an external origin (i.e. were generated within the execution context of an external webpage) and a local target (i.e. an intranet resource) are canceled by LocalRodeo.
  • Anti DNS-Pinning: LocalRodeo detects this attack method by monitoring DNS answers. The switch of a given domain from external to local (or vice versa) is a clear indication of an anti-pinning attack. If such a switch is detected, all further requests from or to the malicious domain are prohibbited.
If you feel like it, please take the extension for a testdrive and let us know if anything went wrong. Enjoy.

Due to problems at my provider, the LocalRodeo webpage can't be reached temporarily. I hope that problem will we solved in the next hours. Here is an replacement site. (problem solved)

... Comment

simonox, 2007-02-19 15:55
Any Logs? Problem with webmail.
If your plugin is activated firefox just hangs using googlemail or lotus notes webmail.

... Link

Maddin, 2007-02-19 17:30
Hmmm, my test-installations have no problems with googlemail. Maybe an unsuspected incompatibility with another extension? Which version of Firefox do you use? And do you have other extensions installed? Concerning logs: Start your Firefox from the commandline. The extension dumps some information to stdout.

... link


... Comment
chicken_soup, 2007-02-20 05:21
Slow
When I installed the extension my browsing speed slowed to a crawl, most site would take about 1-2 minutes to render/load the external files like CSS, images etc were taking the longest. Disabling the extension brought me back up to speed.

... Link

Maddin, 2007-02-21 21:23
Some slowdowns were expected, as now every outgoing http request is intercepted and examined. But a slowdown to the extend you describe have not been experienced during our tests. Please tell us more about your setup (Firefox version, installed extensions, OS, computer and internet speed). I uploaded an updated version of the extension (0.8.1.1) that should provide some minor speedups and we are actively looking for the bottleneck now.

... link

chicken_soup, 2007-02-23 03:00
Internet : ADSL 6mbit
Computer Hardware :
1.8Ghz Intel Pentium 4
1GB RAM
Operating System: Windows XP Pro
Firefox 2.0.0.2pre (2007021603)

- Adblock Plus 0.7.2.4
adblockplus.org
- Adblock Plus: Element Hiding Helper 1.0.1
adblockplus.org
- BlockSite 0.5.2
- BugMeNot 1.3
roachfiend.com
- Cert Viewer Plus 1.1
(Disabled)
addons.mozilla.org
- CookieSafe 2.0.6
forum.softwareblaze.com
- Copy Plain Text 0.3.3
mozmonkey.com
- DownThemAll! 0.9.9.7
www.downthemall.net
- Extension List Dumper 1.8.0
sogame.awardspace.com
- Fire Encrypter 3.0
www.jungsonnstudios.com
- Fizzle 0.5
www.andyfrank.com
- Flashblock 1.5.2
flashblock.mozdev.org
- FormFox 1.6
www.marblehead.com
- Greasemonkey 0.6.7.20070131.0
greasemonkey.mozdev.org
- Header Spy 1.1
(Disabled)
tntlab.com
- httpOnly 0.5
(Disabled)
www.hardened-php.net
- IDND 1.4
lingvo.org
- Image Zoom 0.2.7
imagezoom.yellowgorilla.net
- jsLib Lite 0.1.347
jslib.mozdev.org
- Live HTTP Headers 0.13.1
livehttpheaders.mozdev.org
- LocalRodeo for Firefox 0.8.1.1
(Disabled)
databasement.net
- Master Password Timeout 0.2.5
(Disabled)
www.jetr.com
- Menu Editor 1.2.3
menueditor.mozdev.org
- Nightly Tester Tools 1.2.1
users.blueprintit.co.uk
- NoScript 1.1.4.5.061221
noscript.net
- OpenDownload 1.0.0
mozmonkey.com
- Password Exporter 1.0.6
passwordexporter.fligtar.com
- Redirect Remover 2.1
akaxeen.tyllo.de
- RefControl 0.8.9
www.stardrifter.org
- SafeCache 0.9
www.safecache.com
- SafeDownload 1.0
(Disabled)
forum.softwareblaze.com
- SafeHistory 0.8
www.safehistory.com
- ShowIP 0.8.03
l4x.org
- TargetAlert 0.8.9.8
www.bolinfest.com
- User Agent Switcher 0.6.9
chrispederick.com

Your newer version did help out by a noticeable amount but still the slow page load is occurring. One more thing I have noticed that with my settings not sure...but images seem to redownload. For instance if I have blah.png 50 times on page it will download it 50 times instead of 1 time and calling the other 49 from cache. My cache is on but still occurs. Maybe thats the cause of the localrodeo slowdown for me since its having to process each request. The page I have been using to test it out was weather.com for my city. The page loads extremely slow and doesn't fully load for quite some time. Disabling localrodeo the page loads in about 2-4 secs. Still if someone visited a forum and there were dozens of unique images for signatures etc localrodeo would have same dilemma if that is the cause of the slowdown. Good luck on finding the bottleneck and if you need anymore info I shall provide as best I can.

... link


... Comment
richgn, 2007-08-10 22:08
Thanks, & Chink in the Armor?
I just wanted to thank you for writing the Local Rodeo Firefox extension, and to urge you to improve and release it to the Firefox community at large. I think the work you're doing is important, especially as damn little security software is addressing this particular malware menace right now!

I use ZoneAlarm Pro to enforce "threshold control" on outgoing internet requests. A few days ago I noticed that after booting Firefox it was throwing up a new verification popup once every couple of minutes, always pointed at a new IP address. If I denied any of these requests Firefox would come to a grinding halt. To be repeatedly prompted to validate a back channel I didn't approve of was driving me nuts. I had to do something.

I started by collecting WHOIS reports on the addresses involved, hoping to understand who might be behind the phenom. But the companies involved didn't seem to have anything in common. I then ran Firefox in "safe" mode thinking one of the extensions might be the cause. Nada! So I proceeded to run various malware scanners including NOD32, F-Prot, Spyware Doctor, Trojan Hunter, etc. Bupkus! I noticed Opera wasn't having the same problem, and started thinking about moving to it, or de/reinstalling Firefox. But one of my searches turned up a page which mentioned "DNS Pinning" and that instantly struck me as relevant. A google search on "DNS Pinning" & "Firefox" quckly lead me to your LocalRodeo page, and that's what fixed this problem.

So thank you!

Btw, I see what looks like a possible "chink in the armor" which might be used to defeat LocalRodeo. The extension seems to work because ZoneAlarm is no longer popping up every two minutes to connect me to a corporate site I have no interest in. But I'm still being prompted once when I first start Firefox. So the code behind this exploit seems to be able to run once when Firefox boots. If that's true, it may also be possible for it to disable LocalRodeo before it has a chance to take hold.

... Link


... Comment

 
online for 2438 Days
last updated: 2005-01-26 15:02
Youre not logged in ... Login
... home
... topics

... antville home

Juli 2008
MoDiMiDoFrSaSo
123456
78910111213
14151617181920
21222324252627
28293031
Mai
about:
the shampoo world is
the personal weblog of Martin Johns.
click:

Martin Welt
martinjohns.com
Twitter
Tumbling
Nerd Alert
*spiffytunes*
polyboy dot net

Blogroll
doomicile
foobla
simonox

Podroll
IT Conversations
The Bitterest Pill
The Podcast about nothing

xml version of this page

Made with Antville
powered by
Helma Object Publisher

...welcome to the long tail...