Sunbeltblog comments
While I certainly appreciate people out there finding this stuff out and telling the world about it I must confess that the linked article hurt my head. The number of run on sentences, comma splices, and other grammatical errors made me cringe. The first paragraph alone only had two sentences, the second of which looked like a 5 car pileup.
yeah, non-native speaker. But smart as hell. 
With this hitting so many well-placed websites, is there any real defense against this attack? It sounds like the malware being pushed by the iframes is constantly evolving, so I imagine most anti-malware software is hard pressed to keep up. Are there any practical steps an end user can take, aside from running a Firefox with NoScript in a sandbox?
As Bert Gummer says, "the opportunities for disaster boggle the mind."
Even NoScript isn't much help in a situation like this. You usually have to allow sites to run scripts to get much accomplished, (enter your password, navigate pages in some cases), and these are reputable sites. Most folk won't think twice about whitelisting them
Why not block the malware's redirect? If the actual malware is downloading from the same IPs (72.232.39.252, 195.225.178.21, etc.) make a filter in your firewall to disallow traffic from those IPs - or at least place them in your IE restricted list or freeware browser equivalent. This will at least protect your users from this mess, in the short run.
Hmmm-just a thought: maybe CounterSpy/Kerio can add this as a service with its downloads, followed by a cleanup when the IPs are purged? It's reactionary defense and not one to do typically, I know, but in a case like this where TWO WEEKS later it's still happening, it would be very useful to end users (like my parents).
So what happens if I go to one of these websites?
What usally happens when you first click the affected link.
You get taken to the proper page first then after a second the redirect takes you to a website usally an IP address, then the abuser signs up to an affiate program usally fake codec videos looking like youtube vidos or fake anti- virus programs and gets a bit cash everytime a person clicks.
Having the same problem my self.
These are not loadable iframes. There is no risk from visiting the sites mentioned.
At least in the examples posted in the article, the <iframe src="http://72.232.something.bad/x"> code is *only text*, and will not be loaded by the browser unless you deliberately copy and paste the URL out of it. It is no more an exploit than the "<iframe...>" text in this comment itself.
Likelihood is, this is indeed an automated attempt to inject iframes into XSS-vulnerable pages. But the results you get from Google are only picking up cases where the injection has failed. (If they had succeeded, there'd actually be an iframe, and not the text, so Google wouldn't find that IP address string.) USAToday et al have not been compromised.
The problem is that it's possible to leverage sites' search mechanisms, and other pages that spit out user-generated text, to get chaff into search results - not just this, but all sorts of sitespam. We just need to find a better way to detect it and keep it out of Google and friends.
On some website the redirect does commence and and on most of them it does not.
It just depends on the website.
Commenting by HaloScan
