The main site which is hosting the malicious code right now is “ads-t.ru”. Sites which have been hacked by this attack tool will contain a tag which leads to the page “ads-t.ru/ads.js”. A quick Google search for this string will currently reveal more thousands of webpages which have had this code injected.

The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:
adtcp.ru/ad/index.php

That domain was registered on September 29th with the email address omit@blogbuddy.ru

I wasn’t sure if I should try my malware analysis VM 30,000 feet over Wichita Kansas, but I gave it a shot. The index.php file downloads a hostile Flash Player file:

/ad/spl/files/8628468724.swf

That file is only 797 bytes. VirusTotal has 1 of 41 detects for it, with Symantec calling it “Bloodhound.Exploit.266″. The MD5 is 148a8c05fb0b63f036f024e2104a6e4c

The index.php files also causes a malicious PDF file to be downloaded. When the PDF file is opened by an older version of Adobe Reader, the computer becomes infected with one of the “scareware” fake Anti-virus products.

The domain names involved in this scam are all Fast Flux hosted, meaning that machines belonging to a botnet are used to resolve the website addresses. The traffic is then proxied from those IP addresses to the “real” criminal server.