Recent Spike in NeoSploit Activity

Embedded malicious iFrames within ad banners on popular sites has been attributed to a recent spike in NeoSploit activity.

This week I saw a number of blocks to
google.analytics.com.[a-z]*.info domains, for example,

• google.analytics.com.okruvgbpfyyl.info
• google.analytics.com.poaluygbcxu.info
• google.analytics.com.hjhcgawqijc.info
• google.analytics.com.kfyalnkfqhl.info
• google.analytics.com.gxycidzewmed.info

The whois information shows that these domains have now been sink-holed by ShadowServer:

Redirection to these domains appeared to have occurred from heavily obfuscated JavaScript from the domain:

adrotator.mediaplex.feed-mnptr.com (currently resolves to 188.72.252.129)

This domain is still live, and is mentioned on a few sites (Kaspersky and Google SafeBrowsing) as being malicious, but is otherwise not generally well known at the time of this analysis.

Google searches for adrotator.mediaplex.feed-mnptr.com show that the iFrame has been injected into some popular websites, for example, mtv.com, a number of msn.com sites, and a whole host of other sites (evite, cnbc, buy, juno) - reference.

Once redirected to one of the www.google.analytics.com.[a-z]*.info domains, the victim receives JavaScript from what appears to be the NeoSploit exploit kit, where the following pages may be pulled down:

• Java exploit: class.class, Main.class
• PDF and Browser exploits: kav6.html, kav6.php, kav6.py, kav6%20.asp, AVORP1KAV6%20.asp, kav6.exe/
  
• Payload (e.g., Fake A/V): kav6.exe

Update:
DNS-BH has a new post on 250+ Fraud, NeoSploit, etc. domains to block, and it includes the above domain mentioned: adrotator.mediaplex.feed-mnptr.com. DNS-BH also has a post listing a number of malicious domains being served on banner advertisement networks; displaying just how large a problem malicious banner ads have become.