Anti-Virus Company Avira Homepage Defaced, (Tue, Oct 8th)

The home page of anti virus company Avira has been defaced, likely by altering the DNS zone for Currently, uses the following NS records:

$ dig +short NS
$ dig +short A

Once an attacker has control of the NS records, they may also change MX records and redirect e-mail, or in the case of an Antivirus company like Avira change the addresses used to download signature updates.

According to, the last address for was and that address still appears to host Avira's site.

A cached whois record from a couple days ago lists these DNS servers for
The domain is hosted with Network Solutions. At this point, this looks like an isolated incident and not a more wide spread issue with Network Solutions.
I hope this will not be considered an "advanced sophisticated highly skilled attack", as the attackers have issues spelling "Palestine" consistently. The content of the defaced site is political and no malware has been spotted on the site so far.
Partial screenshot of the site:


Our reader Stuart sent us a screenshot with a similar defacement of Antivirus vendor AVG (, but the site appears to be back to normal now. I can't tell if that defacement was DNS related or not. Instant messaging software maker Whatsapp was appearently a third victim of this attack. 

Johannes B. Ullrich, Ph.D.
SANS Technology Institute

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.