A user visited a webpage and got redirected to hxxp://iframebiz.biz/dl/adv443.php (tt changed to xx to protect anyone from getting there…)
It looks like a bunch of malicious software trying to exploit a variety of vulnerabilities (old and new). Apparently this isn’t a new way of getting these installed (they found 9 DNS names have been used in the last week) – traffsale.biz iframesite.biz iframetraff.biz toolbartraff.biz buytraff.biz iframecash.biz toolbarurl.biz iframebiz.biz and toolbarbiz.biz all have been used by an machine at 18.104.22.168
They’ve tried contacting the ISP and for fun infected a VMware virtual machine. More than 50 files were pulled down from all over.