As mentioned in a previous blog post:

The gumblar.cn compromise may also be accompanied by malicious iframes that load exploits and malware from domains hosted at 213.182.197.23, including liteautotop.cn, bigtruckstopseek.cn, autobestwestern.cn and several others.

While the gumblar.cn and martuz.cn domains have been shutdown for over a week now, these other companion compromises continued to proliferate. Malware domain names include liteautotop.cn, bigtruckstopseek.cn, autobestwestern.cn, bestlitediscover.cn, bigpremiumlite.cn, bigtopartists.cn, bigtopcabaret.cn, bigtopsuper.cn, giantnonfat.cn, hugebestbuys.cn, litebest.cn, litetopautoseek.cn, superdietfind.cn, and yourlitetopfind.cn.

Most recently, the attackers split the domain list and began hosting them on two IP addresses.: 70.85.142.250 and 86.106.121.200, both of which share the nameserver IP 91.212.65.14. They also employed multiple other nameservers at the following IPs:

213.163.91.91
209.44.126.7
213.182.197.23
202.73.57.20
95.129.144.211

The tactic could be likened to a home-grown bullet proof hosting scheme. But fortunately, it appears the nameservers themselves are now being shutdown. This is good news, because this raises the attackers cost of doing business. At some point, if costs are high enough, these particular attacks will cease.

It's a bit like playing Whack-a-Mole though. As one set of attack domains is brought down, others come online. In the first two weeks of May, ScanSafe STAT observed 919 separate Web attacks - Gumblar and these companion attacks represented just 3 of the 919 total attacks that occurred during this period.