Further down the Rabbit hole…
Following two different leads from the hacked websites, I found two very different types of malware going on. The first one I discovered was a sort of fake anti-virus program. The site is hosted on bestantimalwarelivescanner.com and there is a click hijack running on securedradiostation.cn. A copy of the malware can be found here. Soon I will be testing this inside a VM and will post those results.
The other piece of malware I found was an exploited PDF file. The PDF files contains some JavaScript which I have not been able to extract yet. An example of the PDF can be found here.
I am still working on figuring out what is going on with this malware. When the preceding page, http://www.se-jewelry.net/111 called the file, it passed three variables. The entire string is this:
http://www.se-jewelry.net/111/include/spl.php?stats=Unknown|Unknown|67.240.120.204
I have also pulled down the HTML on these sites. So far it has not shown anything interesting except the examples of malware above.
