The servers are GeoIP-aware. Trying to access them directly with an IP from Deutsche Telekom network resulted in an “access denied”, while using a proxy in the USA made the bots deliver the malware.
But this malware – Avira detects it TR/FraudPack.ams – is just another downloader. It is encrypted with some layers as well.
One of the encryption layers contains greetings to the company Sunbelt.
It accesses a set of “double fast-flux’ed” domains to fetch the actual malware, a FakeAV and a ftp password stealer which sends the data to guest books on the Internet. These are detected by Avira with generic detection as TR/Crypt.ZPACK.Gen and as TR/FakeAV.RK, while the password uploader gets detected as TR/Downloader.Gen.
(Article updated on 6th October to add more details about the malware.)