Avast is one of the few to detect HTML:Framer-inf [Trj] at zonedg dot com

See: http://zulu.zscaler.com/submission/show/9568161b99e5deead49933ac223c5fb5-1345991721
See: http://urlquery.net/report.php?id=146631
IDS alert for ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server (group 10)
See: https://www.virustotal.com/file/2d4b24094de8d56662112a11e39b2d022072bee2d684404fa9342ca1a6624d32/analysis/
See: http://www.scumware.org/report/zonedg.com
& http://minotauranalysis.com/search.aspx?q=dd5ad7a360539d989eeaa56a1eea0f8b

polonus

Hi Polonus,

http://www.urlvoid.com/scan/zonedg.com/

http://online2.drweb.com/cache/?i=655b02bd94bbcd554f0f0b3d2bc3dca1 (URL is blocked (malware)

Detect certainly not a signature, but the resource is based malware.

Hi Дима,

Thanks for the additional info, especially for the DrWeb URL block scan,

polonus

hXtp://www.become.co.uk/index.html
File size[byte]: 43074
Threat type: Suspicious
Details: Detected hidden reference to external web resource.
Reason: Detected hidden iframe tag to ‘nxtck.com

hXtp://lowpriceshopper.co.uk/mkt.xpml?mkt_id=1176203821
File size[byte]: 3350
Threat type: Potentially Suspicious
Details: Detected unconditional redirection to external web resource.
Reason: Meta refresh to ‘lowpriceshopper.co.uk

hXtp://shop.pronto.com/mpm/search.do?displayQuery=intimate lingerie&SEM=true&query=intimate lingerie&adid=RLD-1204785687-7994268-0-p_mes&ref=intimate lingerie&matchtype=e&keywordid=11447474530&creativeid=1550201173
File size[byte]: 3362
Threat type: Potentially Suspicious
Details: Detected unconditional redirection to external web resource.
Reason: Meta refresh to ‘shop.pronto.com

Edited by me; original: http://www.quttera.com/detailed_report/zonedg.com

Hi !Donovan,

Thanks, nice analysis, as always, thanks for digging that up, I went over it and came up with this additionally,

For the first link you give, I get:
Header returned by request for: htxp://www.become.co.uk/index.html

HTTP/1.1 404 /index.html
ETag: W/“1101-1277474870000”
Last-Modified: Fri, 25 Jun 2010 14:07:50 GMT
Content-Type: text/html
Content-Length: 1101
Date: Sun, 26 Aug 2012 21:20:09 GMT
Server: Become/1.0

Content returned gives a.o. → Become: Unable to locate page…

For the third link you provided for us:
These suspicious escaped characters found up in the code (, %2C, %2C, %2C, %2F, %2C, %2F, %2C, %…) decodes to something like → ,/,/,/,/,/,///,/,/,/,/,/,/,//,//,
just on a side-line: %2F will be decoded in PATH_INFO is Apache HTTPD Bug…
Translates to htxp://cache-shop.pronto.com/combine.php?type=javascript&hash=980303887&files=lists.js%2Clibrary.js%2Cjquery-1-2-6.js%2Cplugins%2Fjquery-autocomplete.js%2Cplugins%2Fjquery-cookie.js%2Cplugins%2Fjquery-dimensions.js%2Cplugins%2Fjquery-history.js%2Cplugins%2Fjquery-form-plugin.js%2Cpronto3%2Fcommon%2Fplugins%2Frc-text-truncate.js%2Cautocomplete_init.js%2Ccommunity%2Fstar_rating.js%2Ccommunity%2Fcaptcha.js%2Ccommunity%2Fcontest.js%2Ccommunity%2Fcomment.js%2Ccommunity%2Flight_box.js%2Ccommunity%2Flight_box_element_utils.js%2Cpronto3%2Fcommon%2Fga.js%2Cpronto3%2Fcommon%2FdropDown.js%2CFixedDimensionsPopup.js%2CgridView.js%2CptmPopup.js flagged as XSS attack - but here it is supported compression code
Also see this code hick-up:
cache-shop.pronto dot com/js/main/pronto3/NC/jquery-cookie-ga-lightbox.ProntoV3_8_7_0.2012-08-23_08-20.js
[nothing detected] (script) cache-shop.pront dot .com/js/main/pronto3/NC/jquery-cookie-ga-lightbox.ProntoV3_8_7_0.2012-08-23_08-20.js
status: (referer=shop.pronto dot com/)saved 163721 bytes aa2d56a6b59a16bda5a19a9b46ba6be22df5d687
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
error: undefined function a.getElementsByTagName
suspicious:

polonus