Thursday, 16 January 2014
The payload is unclear because at the moment the payload site itself is out of bandwidth. It could either be a malware payload or possibly a rogue ad network (which could also be used to spread malware).
According to Alexa statistics, itlmeteo.it is the 29th most popular site in Italy and the 1305th most popular worlwide.
URLquery report shows the scripts with the injected code:
The injection attempts to run code at [donotclick]www.karsons.co.uk/qdrX3tDB.php?id=114433444 and it can be found in the site's .js files (for example [donotclick]http://www.ilmeteo.it/im10.js). Right at the moment the site has exceeded its bandwidth and is erroring out.
Update: site appears to be clean as of 1133 CET according to URLquery.