It is a spamvertiser campaign botnet. Giving in the IDS rule for it into Google: BOTNET-CNC Cutwail landing page connection attempt Alerts: 1, you get quite some infected URLS. This from 1 hr ago: http://urlquery.net/report.php?id=119982
and this even younger: http://urlquery.net/report.php?id=120064
or this: http://urlquery.net/report.php?id=120015
two hours ago this was scanned: http://urlquery.net/report.php?id=119916
Avast detect: JS:Redirector-RO [Trj] here.
An example: Content returned by request for: htxp://citigatesanchis.com/KFETjuQk/index.html
Loading…
4: src≈ “htxp://gzt.si/AjFisCSM/js.js”> see: http://zulu.zscaler.com/submission/show/6cb8e7ffc99b4b0b2a136678f6e5f137-1344459649
5: src≈ “htxp://kidzup.co.kr/30AcyMry/js.js”> see: http://zulu.zscaler.com/submission/show/52b252f98208c7986f54c4f2bd305525-1344459709
and avast does not detect this: https://www.virustotal.com/file/e1c4716569727f6389e63018eae9eed7156c9cbbc38ede94843dddf76fed050d/analysis/
as a possible Heur.JS.BlacoleRedir (v) detection, reported to virus AT avast dot com
See also: http://www.mywot.com/en/scorecard/kidzup.co.kr?utm_source=addon&utm_content=popup-donuts

polonus

P.S. One of the sites finally landed here: http://zulu.zscaler.com/submission/show/5d22a559edc307ef649de958ca8d62d7-1344460769
This is being blocked by Google Safebrowsing as malcious site…and this also lands there: http://urlquery.net/report.php?id=120028

D

Hi forum friends,

To precise a particular flaw, I searched for this IDS rule: http://www.google.nl/search?hl=nl&sclient=psy-ab&q=ET+CURRENT_EVENTS+Possible+Blackhole+Landing+to+8+chr+folder+plus+js.js&btnG=

Just see the amount of scans urlquery will turn up for "8 chr folder plus js.js Blackhole landing…
we also discussed this here: http://forum.avast.com/index.php?topic=98129.0

polonus