Actually, the above fakes the first appendChild (inside a try) and does an eval appendChild.
Too many bells ringing here to alert : http://urlquery.net/report.php?id=84145
Also a trojan downloader for Zeus on that domain…see Malware Domain List
and I see suspicious content after the < /html> tag - a padding to disable MSIE and Chrome friendly error page →
See this signature description for Emerging Threats sign.: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15709 (author Gmane’s Nathan Ridge)
Only listed here: Listed in bl.spamcannibal.org, www.spamcannibal.org : 127.0.0.2 : blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=216.24.204.18 - (ttl:43200) [0.019 sec]
and here: Listed in sbl.spamhaus.org, www.spamhaus.org/sbl/ : 127.0.0.2 : http://www.spamhaus.org/sbl/query/SBL145909 - (ttl:300) [0.053 sec]
The role of Blackhole exploit kit in spreading Spam: http://cbnetsecurity.com/colors/archives/date/2012/07/03 link from Eye on Spam author = cristian
polonus
And this one: http://urlquery.net/report.php?id=84145
See: http://zulu.zscaler.com/submission/show/7f87a6f3d227005ed04fd0de8f456b91-1341679972
See: https://www.virustotal.com/file/b6d708d5f0242ea2d0caab5336f6e1c3c57b1918a6aac684b63bfba7447cd432/analysis/
polonus
Not sure on this one: http://zulu.zscaler.com/submission/show/f4f201ed659b64134520ba85fad1ba3a-1341681804
is this dead URL i think its dead?? see screenshot1…
true indian,
see: http://urlquery.net/report.php?id=78036
see: http://www.malwaredomainlist.com/hostslist/yesterday_urls.txt
see: http://securecast.co.kr/offer/offer_threat_list.asp?left_menu=secure_02
polonus
thanks! pol my friend 
To explain one of the snort rule alerts a bit more:
in this example the ‘hcp_vbs.php?f=’ part of the URL is known to be part of the ‘Black Hole Exploit Kit’.
And this was one of the bugs abused on that site: description of exploit → https://bugs.php.net/bug.php?id=35360
because you see a snort rule alert given for this, e.g.:
BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f=
this will deliver various malicious PDF files to a user/victim,
polonus
How about this one: http://urlquery.net/report.php?id=84805
On that IP IDS alert SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch
See: http://zulu.zscaler.com/submission/show/9ba26965ce8a56686c9bdc0ac6470690-1341694871 (partial detection)
polonus
I cant get a return atm…
Here is another: http://urlquery.net/report.php?id=85282
See: http://zulu.zscaler.com/submission/show/77fb44e1a62807569eafd676607fe1c6-1341755594
See: https://www.virustotal.com/file/a6edc3f21dddd2ee19a38b6a48150222180925ad05d49e70ba2659f4f971d7fd/analysis/
Blackhole landing page with specific structure - prototype catch see: http://seclists.org/snort/2012/q1/579 (Joel Esler)
detected by other av vendors as HTML/ExpKit.Gen3
polonus
Here we have a blackhole site with an outdated and vulnerable version of WordPress: http://sitecheck.sucuri.net/results/sdtempo.si
malware-entry-mwexploitkitblackhole1
See: http://urlquery.net/report.php?id=85251
SQL malware found on line 193: ^^}/km0ae9gr6m/^^try{^^prototype%2;} etc etc
XSS attack detected Failed to connect to database: Unknown MySQL server host
Also see here: http://forum.avast.com/index.php?topic=100917.0
Then the avast shield should block this…
polonus
http://wepawet.iseclab.org/view.php?hash=9bbac3b2e649c6bd3b67f37435c82150&type=js
Avast blocked the resource itself, and the Trojans also have in the database.
And this is what is downloaded:
https://www.virustotal.com/file/b9348defbc2a9e982abdd1e4f1b5cb425da9e99cd8aa8163f2b9251d9078ca7a/analysis/1341756943/
Thanks for checking Dim@rik, one less to worry about then.
Hopefully we get detection for all of them, well at least that is why we are reporting,
polonus
For this one we have 4 av detections and we have avast IP block via the avast Network shield!
Онлайн 08.07.12 16:51 06.07.2012 19:10 5.39.59.129 Blackhole exploit kit HTML/ExpKit.Gen3
But here we have avast Networkshield detection and this IP is blocked as URL:Mal
So for HTML/ExpKit.Gen3 we have avast shield protection!
See: http://urlquery.net/queued.php?id=85355
No alerts there, but here: http://urlquery.net/report.php?id=84839
Blackhole post-compromise download attempt - .php?f= & prototype catch alerts,
polonus
http://wepawet.iseclab.org/view.php?hash=2f2090cd9dd06cbde83917c2fca2886a&type=js
Downloading two samples, both are determined.
Hi Dim@rik,
It is good to know that avast is one of the few av that detects the pony downloader from that site as Win32:Zeus-A [Trj] . Mostly pony downloaders are configured to POST stolen FTP credentials to certain drop zones, then grab Gameover Zeus banking trojans from determined locations, and fraudulent site engaged in Identity Theft, Phishing, Money Mule,
polonus
See: http://urlquery.net/report.php?id=85558 (next random number malcious script -IDS alert: Blackhole landing prototype.catch
Not detected here: http://zulu.zscaler.com/submission/show/abae62a150cd1b4023a891e21a77186b-1341780150 given as suspicious
Bitdefender’s Traffic Light flags the site as unsafe,
This link is also found there: htxps://d31qbv1cthcecs.cloudfront.net/atrk.js Alexa code insertation, benign, could be blocked using ABP
polonus
What about this one: http://urlquery.net/report.php?id=86083
See: http://vscan.urlvoid.com/analysis/e1d151c5cbc44e04d4561488be7f2439/cmVkaXItbm90LWZvdW5kLXNodG1s/
well this one is blocked by avast Networkshield as URL:Mal
So for this one we have protection,
polonus
What about this: http://urlquery.net/report.php?id=78194
polonus
Phish attempts on here: http://zulu.zscaler.com/submission/show/8e6980753ddc679fd0d28b5ba1ea43e3-1342081357
Given clean here: http://vscan.urlvoid.com/analysis/990c4c10849ac1fef028e54ee9df36d0/ZmlsZWxpc3QteG1s/
Also we have Blackhole exploit on same IP here: http://zulu.zscaler.com/submission/show/38aec2812ca855299b8dc7efaf209644-1341494925
Reported to Virus AT avast DOT com