Our forum friend, Pondus, came up with the following interesting scan results, and contemplated this to be new exploit malware:
URL: htxp://doklengtoy.com/

urlquery: http://urlquery.net/report.php?id=1958688

sucuri: http://sitecheck.sucuri.net/results/doklengtoy.com/

virustotal
https://www.virustotal.com/nb/file/1b92837cc6b73514af234a4604b17c81adacfe10d0b93186bf30970d5ccef173/analysis/1365790090/

So we delved into it and came up with the following results. Please, feel free to comment or react!
First let us look at the IDS alert

ET DNS DNS Query for Suspicious .co.cc Domain

Here we see it considers 5 suspicious domain types: http://lists.emergingthreats.net/pipermail/emerging-sigs/2010-August/008876.html (reported by KEVIN ROSS) These are classified as “potentially bad traffic packet drops domains”…
Will Metcalf discusses this sig on GMane here: http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/18037
The accuracy should be optimized, they say, and the sig rules may appear somewhat dubious.
This could well be because the blackhole malcreants care about staying beyond the detection radar.

Therefore a lot of scanners therefore come up with a clean slate: http://quttera.com/detailed_report/doklengtoy.com
Here are two more urlquery dot net scans for the same IDS alert:
http://urlquery.net/report.php?id=1923475 &
http://urlquery.net/report.php?id=1941555
These are quite recent detections from 1 and 2 days ago.

The sucuri detection is interesting: http://sitecheck.sucuri.net/results/doklengtoy.com/ and click faud related javascript malcode: http://labs.sucuri.net/db/malware/malware-entry-mwhjck3123
A lot of abuse is going on via that IP (PHISHING, spam,
ours has recently migrated from Cloudflare (Singapore) all abuse coming under one generic name: Dynamic DNS exploit attacks originating from mentioned domain…a lot of which active malcode is being detected by our good old avast!: https://www.virustotal.com/en/file/c1352adfc2232139021bf568a6c908f1d726286c4b4fec617bda57142bf22386/analysis/
A lot on that domain has either been closed or is dead malcode,
see: http://support.clean-mx.de/clean-mx/viruses.php?ip=118.139.186.1&sort=first%20desc

polonus

This one is even blocked on the urlquery net results by the avast! Web Shield as JS:Redirector-ZK[Trj]
htxp://urlquery.net/report.php?id=1926772
Also when I try to load that uri via a proxy like htxp://5.hidemyass.com/ip-1/encoded/etc. avast! will detect and block this redirect!

Pondus’s example was only detected once here: http://www.urlvoid.com/scan/doklengtoy.com/
http://www.avgthreatlabs.com/sitereports/domain/doklengtoy.com/ (potentially active threats found)
Here it is given in detail: http://evuln.com/tools/malware-scanner/doklengtoy.com/
avast detects as JS:Iframe-ER [Trj]
But going to the site with NS and RP extensions active I get no avast! Shield alert -
Could it be the site has been cleansed or does not avast! detect any longer?
See: http://vurldissect.co.uk/default.asp?url=http%3A%2F%2Fdoklengtoy.com%2F&btnvURL=Dissect&selUAStr=1&selServer=1&ref=&cbxSource=on&cbxBlacklist=on
Nothing detected here, neither in a previous analysis: http://zulu.zscaler.com/submission/show/0aeb6f995e37007150b07f118556ecbf-1365855331
But still detected & detected earlier by wepawet: http://wepawet.iseclab.org/view.php?hash=53eb76efef30f783dc935c86eddedb3a&t=1365855398&type=js

polonus