This week I saw a number of blocks to
google.analytics.com.[a-z]*.info domains, for example,
The whois information shows that these domains have now been sink-holed by ShadowServer:
adrotator.mediaplex.feed-mnptr.com (currently resolves to 184.108.40.206)
This domain is still live, and is mentioned on a few sites (Kaspersky and Google SafeBrowsing) as being malicious, but is otherwise not generally well known at the time of this analysis.
Google searches for adrotator.mediaplex.feed-mnptr.com show that the iFrame has been injected into some popular websites, for example, mtv.com, a number of msn.com sites, and a whole host of other sites (evite, cnbc, buy, juno) - reference.
- Java exploit: class.class, Main.class
- PDF and Browser exploits: kav6.html, kav6.php, kav6.py, kav6%20.asp, AVORP1KAV6%20.asp, kav6.exe/
- Payload (e.g., Fake A/V): kav6.exe
DNS-BH has a new post on 250+ Fraud, NeoSploit, etc. domains to block, and it includes the above domain mentioned: adrotator.mediaplex.feed-mnptr.com. DNS-BH also has a post listing a number of malicious domains being served on banner advertisement networks; displaying just how large a problem malicious banner ads have become.