Thursday, November 27, 2008

Risk Impact High

Symantec yesterday (11-26-2008) identified a new strain of adware bearing a risk impact of high. Adware.OneStep targets the Firefox browser ( It embeds search results from with hidden advertisements that use size zero iframe tags.

An examination of reveals additional cause for concern. The proprietor of is Navigation Catalyst Systems, Inc.; the firm was sued by Verizon on April 15th. In that lawsuit,
"Verizon California Inc., Verizon Trademark Services LLC and Verizon Licensing Company alleged that Defendants Navigation Catalyst Systems Inc. and Basic Fusion Inc. have used an automated process to register and use over three million domain names, many of which are confusingly similar to famous or distinctive trademarks owned by others."(
The mass registration of typosquatting domains is a tactic often practiced by the Russian Business Network.

McAfee's Site Advisor service ties to ("When we visited this site, we found that it appears to have a business relationship with, a known provider of adware, spyware or other potentially unwanted programs."). Indeed, shares both its IP address and name server with Other domains at IP address include a variety of sociopathic porn sites (,, etc.), hacker redirect sites (, typosquatter domains (, disreputable medical products and unsafe download sites (, etc.). is also present; waria is a trojan egg dropper which targets Linux and Unix systems. Also, corrupt DNS entries are deliberately employed by; the reverse DNS entry for,, is not whoisable, and no exists.

It is adviseable that you block the IP addresses as well as, the domain names associated with DNS blocking is useful as malware domains often change IP addresses, as their owners seek to avoid IP blocking.  - - - - - - and lurk within AS40634, and you may be able to block this entire route (, which appears to be rife with the worst malice.