A forensic analysis of this attack revealed that the user requested the following:
which in turn requested:
Accessing the image off of dipsy.pbs.org requires login credentials.
PBS Login Prompt
If correct credentials are not provided, dipsy.bps.org serves an error page that looks normal.
… until you look under the hood. The end of the error page’s source.
The above URL serves exploits that target a variety of software vulnerabilities, including those in Acrobat Reader (CVE-2008-2992, CVE-2009-0927, and CVE-2007-5659), AOL Radio AmpX (CVE-2007-6250), AOL SuperBuddy (CVE-2006-5820) and Apple QuickTime (CVE-2007-0015).
The domain qxfcuc.info is part of a malware campaign that includes tens of similar websites hosted off of a handful of common IP addresses. Similar exploit code was served from most of these domains, although a handful (e.g., yyoqny.info) display a message that suggests the criminal behind this campaign is compromising systems to build a botnet he will likely later lease. Translated from Russian, that message tells prospective leasers to “Send a message to ICQ #559156803; stats available under ststst02.“
Users of the PWSS are protected from this campaign.