Let's dissect the attack, take into consideration the big picture, and bring a skeleton out of the closet -- one of the malware's phone back locations is a domain exclusively used by the Russian Business Network back in January, 2008.
This particular campaign relies on an embedded malicious script that appears to be dynamically creating subdomains within the cybercriminal's controlled domain. For instance, cs.ucsb.edu.4afad2ceace1e653.should-be .cn/jan10 .cn is where the first redirection in USAID.gov's attack takes place. From there, the surfer is taken to orderasia .cn/index.php and then to orderasia .cn/iepdf.php?f=old where the exploitation of multiple (patched) Adobe Reader and Acrobat buffer overflows takes place. Upon successful exploitation, a downloader with an improving signatures-based detection rate during the past several hours is served.
USAID.gov's insecurities appear to be a juicy target for cybercriminals. In 2007, the site's Tanzanian section was hacked with links redirecting to Zlob malware, followed by another research released the same year putting USAID.gov among some of the key spam doorways which WebmasterWorld analyzed back then.
Moreover, in 2007 cybercriminals indicated their ability and desire to target international governments' web sites in an attempt to use them as infection vectors in the face of such incidents as the malware embedded French Embassy in Libya; the Syrian Embassy in London; the U.S Consulate in St. Petersburg; the The Dutch Embassy in Moscow; and most recently the Embassy of Brazil in India followed by the Embassy of India in Spain - and the list is prone to expand, that's for sure.