See: http://evuln.com/tools/malware-scanner/all-sb.ru/
For the redirect: http://urlquery.net/report.php?id=1682322
24 websites infected: http://evuln.com/labs/daxor.org/
example: http://mawords.com/tekspb.ru → http://urlquery.net/report.php?id=1682525
IDS alert http://doc.emergingthreats.net/bin/view/Main/2015783

This signature falsifies quite often if the client system is using pipe lining. Client downloads an EXE and an image legitimately inside of the same TCP session, but not in the same HTTP transaction, and this signature will fire.

quote-info from Eoin Miller for Gmane - 03-01-2013

polonus