Malware calls looky-likey domain names
Security experts F-Secure have noticed a change in the behaviour of malware. Trojans and other malware often try to call home and this behaviour could be a tell tale sign when a companies firewall or DNS servers are asked to resolve those addresses, as they were typically names like "weloveusa.3322.org" or "hzone.no-ip.biz".
F-Secure say they have noticed, when examining targeted attacks on companies or organisations, that there has been a shift to a strategy to co-opt vendors brand names, or miss-spellings of them, in an attempt to camouflage the requests. Host names like "ip2.kabersky.com", "tethys1.symantecs.com.tw" and "www.adobeupdating.com" have been noted. The looky-likey domain names appear to be an attempt to fool busy system administrators when they are examining the firewall logs into thinking they are legitimate connections from auto-update mechanisms in applications.