However, we've now seen a shift in the hostnames. The attackers seem to registering misleading domain names on purpose, and have now been seen using hosts with names such as:
The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates…" In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia.