Thursday, November 27, 2008

Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser (http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-112613-5052-99&tabid=2). It embeds search results from onestepsearch.net with hidden advertisements that use size zero iframe tags.

An examination of onestepsearch.net reveals additional cause for concern. The proprietor of onestepsearch.net is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,
"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(http://news.justia.com/cases/featured/california/cacdce/2:2008cv02463/413394/)
The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties navigationcatalyst.com to qsrch.com ("When we visited this site, we found that it appears to have a business relationship with New.net, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, onestepsearch.net shares both its IP address and name server with qsrch.com. Other domains at IP address 208.87.149.250 include a variety of sociopathic porn sites (teenagefucksluts.com, has.seen.godscock.net, etc.), hacker redirect sites (justgotpwned.com), typosquatter domains (blogpspot.com), disreputable medical products and unsafe download sites (01computersoftwar.biz, etc.). Waria.vg is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by onestepsearch.net; the reverse DNS entry for onestepsearch.net, 250.f.com, is not whoisable, and no f.com exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with onestepsearch.net. DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.

onestepsearch.net  - 208.87.149.250
ns1.onestepsearch.net - 209.128.80.137
ns2.onestepsearch.net - 209.128.80.138
ns3.onestepsearch.net - 209.128.76.101
ns4.onestepsearch.net - 209.128.76.102
mail01.quadzemail.com - 208.87.148.231

onestepsearch.net and quadzemail.com lurk within AS40634, and you may be able to block this entire route (208.87.148.0/23), which appears to be rife with the worst malice.

Tuesday, November 11, 2008

Malware Domain IP Address Migration Rates

Building the Case for Black Hole DNS
by James McQuaid


In measuring the frequency with which malware domains changed IP addresses, I had two goals. One was to quantify enemy tactics, and the other was to evaluate the effectiveness of the tools we employ against them.

After stateful packet inspection, IP address blocking is the most commonly utilized method of securing the perimeter through filtering. Overreliance on IP address blocking has been criticized as inadequate (http://blog.fireeye.com/research/2008/11/the-case-against-url-blacklists.html), and numerous analysts have suggested that it should be utilized in conjunction with Black Hole DNS (BHDNS) (http://malwaredomains.com/). This may seem to be self-evident, but little data has been available regarding its comparative effectiveness.

I examined malware domains active between October 10th and November 10th 2008, and found that as the

life of a malware domain progressed, it was increasingly likely to have its IP address changed. This is the likely result of cybercriminals attempting to evade IP address blocking.

After 7 days, 80% of malware domains retained their initial IP address. 10% were no longer resolving, and 10% of the domains had undergone an IP address change.

After 15 days, 56% of malware domains retained their initial IP address. 21% of malware domains were no longer resolving, and 23% of the domains had undergone an IP address change.

At 30 days, 50% of malware domains retained their initial IP address. 7% of the domains were no longer resolving, and 42% of malware domains had undergone an IP address change.

Malware Domain IP Address Migration Rates

The data indicate that a network administrator who implements IP address blocking on a 30-day update cycle is facing up to a 42% failure rate in the effectiveness of the perimeter filtering policy. The data also imply that the RBN and other malware operators have a strategy of changing the IP address of malware domains in order to evade IP address blocking.

Snort Inline offers administrators exponentially greater levels of network protection, providing
substantial protection against advanced threats including fast flux malware networks.
emergingthreats.net provides the most comprehensive set of open source Snort signatures which are
effective in real-time (http://doc.emergingthreats.net/bin/view/Main/AllRulesets).

Black Hole DNS (filtering traffic by domain name) provides an effective, inexpensive and widely
available method of significantly improving the effectiveness of perimeter firewall filtering policy.

BHDNS is available in conventional DNS as well as, in widely deployed home and small business firewalls (such as Smoothwall and IPCop).

You can easily implement BHDNS in conventional DNS. malwaredomains.com provides complete instructions and domain blacklist files. I maintain a ready-to-go solution for Smoothwall at emergingthreats.net (http://doc.emergingthreats.net/bin/view/Main/HoneywallSamples).