Mebroot Spreading through High-Traffic, Compromised Web Sites
Symantec is tracking more and more high-traffic Web sites that become compromised and then used to spread malicious code.
Today the Italian Web site emule-italia.it had been compromised and was hosting an obfuscated script. The script, when deobfuscated, was showing an iframe pointing to http://[REMOVED]xes.com/ld/grb, which was redirecting users to a server (http://[REMOVED]fir.com/cgi-bin/mail.cgi?p=grobin) hosting the Neosploit tool. Neosploit is forcing vulnerable PCs to download and install the latest version of the infamous Trojan.Mebroot.
ISP was notified by Symantec
http://www.symantec.com/enterprise/security_response/weblog/2008/04/mebroot_spreading_through_high.html