xxp.srv23.foreclosurecities.uni.me/scan/?affid=n7Hn-C9kShc fake av 1

xxp.update74.correctionsboard.uni.me/scan/?affid=SpVNIzVlG0g fake av 2

Zulu analyser
http://zulu.zscaler.com/submission/show/d68ea60ac55cefd34a981abfc05adfb8-1330783872
http://zulu.zscaler.com/submission/show/335a968626be2013726f1660b1236f3c-1330784081

Sucuri
http://sitecheck.sucuri.net/results/http://update74.correctionsboard.uni.me
http://sitecheck.sucuri.net/results/http://srv23.foreclosurecities.uni.me/

To add to that, these sites redirect to randomly generated sites that redirect to sites that redirect to sites
and so forth until the site hosting the malware is received. A dirty tactic, if you ask me.

Well additionally to the random redirects, the malware when found only was responsive for a couple of hours at the utmost. Most instances are dead now or already made available through other paths. Because of the redirectional path shown by the Zscaler Zulu scanner you can understand why user scanning and user reporting is so vital. This is what I find for the AS this IP is on: AS15685
CURRENTLY ONLINE
HE Index: 66.1
HE Rank: 287

AS Name: CASABLANCA-AS Casablanca INT Autonomous system
IPs allocated: 90880
Blacklisted URLs: 483

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? Yes
…Current Events? Yes

Quite some snakepit to land at,

polonus

Also,read here:
http://www.robtex.com/ip/82.208.40.4.html#ip

Hi posters in this thread,

Here you have an example of similar malware, that has been closed now: htxp://zulu.zscaler.com/submission/show/aece2cc37570568820369325cfca7ad7-1330794333
First seen 2012-03-01 04:30:05 Closed 2012-03-01 05:12:00
Still suspicious,

polonus