The malware URLs themselves are hosted on cracked web servers, and those web server IP addresses often end up in SBL. Spamhaus has learned from admins of those systems that the common vector used by the attackers are FTP password cracks. Further, the attacks are not only on weak 'guessed' passwords, but the bad guys are sniffing passwords via other malware installations, so even good, strong passwords are vulnerable. Remember, FTP transmits passwords 'in the clear', not encrypted!

The way for those website owners to protect their systems is to use a protocol which protects their passwords with encryption, either SFTP (SSH File Transfer Protocol) or FTPS (FTP over SSL/TLS). There are many good secure FTP clients available. We can't list them all but two popular, free, open-source clients for several operating systems are available from FileZilla (and a Windows server) and PuTTY PSFTP.

ISPs and hosting companies, please encourage all your customers to switch to secure FTP immediately, including server support on your end. It protects everybody, including your customers and the Internet at large!