Today we saw an interesting case where no one could find badware in a website that Google reported as infected—until Google tipped us off to check the site using https (i.e., instead of testing http://example.com, we tested https://example.com). Sure enough, when we used https, an apparently unused default site loaded, along with a hidden iframe that connected to a Chinese server and downloaded a malicious payload. In addition to being difficult to track down, my colleague Oliver points out that intrusion detection systems, network firewalls, and other devices that scan traffic as it passes through a network would probably miss this malicious payload because of it being encrypted within an SSL stream.
SSL aside, default websites that are turned on by default in web servers (including those embedded in web-enabled devices) can be a security risk, as today's case shows. Often these default sites are left enabled and are not locked down adequately, making them prime targets for attack. They can then be used as a destination URL for spam or redirects.
Lesson: when installing a web server, find out which sites are enabled by default, and either disable them or secure and monitor them.