ALERT: Please treat content from aegadvancedmedia.com with extreme caution
Nokia Theatre L.A. Live (nokiatheatrelalive.com) is serving exploits via aegadvancedmedia.com
Historical badness at aegadvancedmedia.com (btw, homedepotcenter.com is still serving exploits – stay away from there too):
http://www.google.com/safebrowsing/diagnostic?site=aegadvancedmedia.com
Malicious content (note the 1x1 iframe):
Analysis of content from the IP address 85.234.190.13:
http://wepawet.cs.ucsb.edu/view.php?hash=63e7a8a467205c6c2d6c078de506b30c&t=1280392935&type=js
Historical badness at 85.234.190.13:
http://www.google.com/safebrowsing/diagnostic?site=85.234.190.13
Other bad stuff in the IP range:
http://www.malwaredomainlist.com/mdl.php?search=85.234.190&colsearch=All&quantity=50
85.234.190.13 is in Latvia - Latvia Riga Docsis Ip Pool For Cable Customers
Other bad stuff is seen coming from 194.8.250.227 (Paraguay Donstroy Ltd) – historical badness there too:
http://www.google.com/safebrowsing/diagnostic?site=194.8.250.227
Interestingly, an analysis of the content loaded from 194.8.250.227 points to fake AV:
http://www.virustotal.com/analisis/b0becacf524a1d04943007da7284bc419245bf26a411a1667df06e647eabadc6-1280394361
Not surprising considering the IP range history:
http://www.malwaredomainlist.com/mdl.php?search=194.8.250&colsearch=All&quantity=50
There is also an attempt to infect systems using a vulnerability in Adobe Reader and Acrobat 8.0 through 9.2 (Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code via a crafted PDF file using ZLib compressed streams, as exploited in the wild in December 2009)