See:
http://www.projecthoneypot.org/ip_31.31.196.16and ->
http://urlquery.net/report.php?id=4370127Gateway malware service as part of RedKit EK campaign, been with us since 2012,
1. Domain rotation – based on time
2. HTML pages rotation, switching based on time too.
3. Domains\web-server involved in apreading malware – victims of previous hacks, that turned into malware spreading hosts
4. MDS clean-up hacked host (at least from added HTML pages and malicious files) at the end of usage.
5. Malware page provide 3(!) different payload, 2 for Java and another for PDF.
Major flaw in this system is non-changed names for malicious files, but since malware domains are hacked, I assume only limited functional available to MDS owners, and that’s require to use static file names. info thanks to Day by Day's author D.L.
polonus