Do you think you will get infected only when visiting porn sites / cracks / malicious sites. LOL you get infected even when you visit yahoo.com, msn.com, 4shared.com
Currently blackhole exploit kit is heavily being used to distribute zbot via drives-by download. And blocking the domains is use less as they last only for some time (fastflux domains). And the distribution mechanism is mainly Malvertaising.
It goes this way
You visit 4shared.com —> Advertiser epom.com loads ad which goes to —> hfen.in?4shared (Malvertaiser) that loads iframe —> exploit page ( main.php?02332424247686686866887686)
You don’t have java version < 23, boom you are gone. Check you version
Actually speaking it is targeting CVE2010-0840 via worms.jar file. Surprising you cannot have you AV block worms.jar, we literally had dance with our AV provider for getting signature, every time we submit they give signature and next day another worms.jar that is not detected. And I cannot blame them exactly as I see they obfuscate java code with garbage string to avoid detection.
We have implemented controls to block cz.cc, cx.cc domains (most of initial checkin sites we see) and block urls ending with “worms.jar” in Proxy and investigate for every download of .class file. Make sure all the devices in your organization have java minor version >23.