26 Oct
2015
26 Oct
'15
8:13 a.m.
On Mon, Oct 26, 2015 at 06:19:11AM -0700, John Sage wrote:
After the appropriate wgets and less'es those all seemed to point back to
avazunic [dot] com
which is registered in -- wait for it -- CN...
I have noted 374 different domains (so far) in this attack and have analyzed them at a cursory level. Thus far, I see no pattern of registration, DNS, geography, hosting, etc. I strongly suspect that many of these, perhaps even most or all, represent web sites that have been breached and are being used to spread the payload. ---rsk