Thursday, November 27, 2008

Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser ( It embeds search results from with hidden advertisements that use size zero iframe tags.

An examination of reveals additional cause for concern. The proprietor of is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,
"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(
The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties to ("When we visited this site, we found that it appears to have a business relationship with, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, shares both its IP address and name server with Other domains at IP address include a variety of sociopathic porn sites (,, etc.), hacker redirect sites (, typosquatter domains (, disreputable medical products and unsafe download sites (, etc.). is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by; the reverse DNS entry for,, is not whoisable, and no exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.  - - - - - - and lurk within AS40634, and you may be able to block this entire route (, which appears to be rife with the worst malice.

Tuesday, November 11, 2008

Malware Domain IP Address Migration Rates

Building the Case for Black Hole DNS
by James McQuaid

In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (, and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) ( This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.

Malware Domain IP Address Migration Rates

The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.

Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks. provides the most comprehensive set of open source Snort signatures which are
effective in real-time (

Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.

BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).

You can easily implement BHDNS in conventional DNS. provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at (