In targeted attacks, we're see more and more attempts to obfuscate the hostname of the server to which the backdoors are connecting.

IT staff in many of the targeted organizations are fully aware of these attacks. They keep monitoring their logs for suspicious activity.

The admins might spot a host that suddenly connects to known rogue locations such as:

  •  weloveusa.3322.org
  •  boxy.3322.org
  •  jj2190067.3322.org
  •  hzone.no-ip.biz
  •  tempsys.8866.org
  •  zts7.8800.org
  •  shenyuan.9966.org
  •  xinxin20080628.gicp.net

However, we've now seen a shift in the hostnames. The attackers seem to registering misleading domain names on purpose, and have now been seen using hosts with names such as:

  •  ip2.kabsersky.com
  •  mapowr.symantecs.com.tw
  •  tethys1.symantecs.com.tw
  •  www.adobeupdating.com
  •  iran.msntv.org
  •  windows.redirect.hm

The apparent motive here is that a busy IT administrator might look at a firewall log alert about a machine connecting to www.adobeupdating.com and just disregard it. "That must be the PDF reader trying to download updates…" In reality, adobeupdating.com is registered to somebody in Zaire and has an IP address pointing to Australia.