These functions set a cookie and create a hidden iframe in the page that redirects to a second website containing additional malicious code. In a blog post, MalwareMustDie, the author who discovered this malware family describes in more detail how this cookie may be used to determine the type of malware that is served from the second website.
Protecting users against these attacks involves keeping machines and web browsers fully patched to minimise the number of vulnerabilities that an attacker can exploit. However, there will always be a time lag between a vulnerability being discovered, a patch being released and the patch being installed on all machines on a network. During this period, machines may be vulnerable to attacks such as these. Administrators can ensure that compromised websites hosting malicious content are kept away from end users by filtering web traffic at the network level with solutions such as Cisco’s Web Security Appliance, or filtering web traffic in the cloud with Cisco’s Cloud Web Security. These solutions detect the malicious content and block it before it can reach visitors’ machines, helping to ensure that machines are protected no matter how well patched (or not) they may be.
Website administrators need to be vigilant to ensure that web servers are also fully patched and that the passwords required for administrators to access the web server are difficult to guess, and frequently changed. Regularly monitoring web pages to identify when modifications are made is good practice to swiftly identify unauthorised changes so that they can be remediated and the means by which the attacker gained access fixed.
One thing is certain, no website, no matter how reputable, can be assumed to always be free of malware and users must take this into account when browsing the web.