Ever heard of domains such as 8866.org, 2288.org, 6600.org, 8800.org, 9966.org, and 7700.org? Me neither -- well, at least not until recently.
The latest zero-day exploit, which affects Microsoft Word, drops a Trojan that tries to connect to a host at 3322.org. Turns out that these particular domains are IP forwarders -- e.g. they let you register any available host at the domain and forward traffic to whichever IP address you prefer. Sounds like a great way for cyber criminals to keep their real attack systems on the move.
I learned about this over at F-Secure, where they explain a bit more about these domains.
When you see these domains in your URL filtering or Web access logs they should send up gigantic red flags in your mind. In my opinion they should be completely blocked unless you have a real good reason not to block them. Better safe than sorry.