Malware calls looky-likey domain names
Security experts F-Secure have noticed a change in the behaviour of malware. Trojans and other malware often try to call home and this behaviour could be a tell tale sign when a companies firewall or DNS servers are asked to resolve those addresses, as they were typically names like "weloveusa.3322.org" or "hzone.no-ip.biz".
F-Secure say they have noticed, when examining targeted attacks on companies or organisations, that there has been a shift to a strategy to co-opt vendors brand names, or miss-spellings of them, in an attempt to camouflage the requests. Host names like "ip2.kabersky.com", "tethys1.symantecs.com.tw" and "www.adobeupdating.com" have been noted. The looky-likey domain names appear to be an attempt to fool busy system administrators when they are examining the firewall logs into thinking they are legitimate connections from auto-update mechanisms in applications.
(djwm)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
