Last Updated: 2013-10-08 15:28:15 UTC
by Johannes Ullrich (Version: 1)
The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Avira.com. Currently, avira.com uses the following NS records:
$ dig +short avira.com NS ns2.radioum.com.br. n1.ezmail.com.br. ns1.radioum.com.br. n2.ezmail.com.br.
$ dig +short A avira.com 184.108.40.206
Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates.
According to domaintools.com, the last address for avira.com was 220.127.116.11 and that address still appears to host Avira's site.
NS1.AVIRA-NS.NET NS2.AVIRA-NS.DE 18.104.22.168 NS3.AVIRA-NS.NET NS4.AVIRA-NS.DE 22.214.171.124
Our reader Stuart sent us a screenshot with a similar defacement of Antivirus vendor AVG (avg.com), but the site appears to be back to normal now. I can't tell if that defacement was DNS related or not. Instant messaging software maker Whatsapp was appearently a third victim of this attack.