By: Lucian Constantin | 15th July 2011
The attack doesn’t seem to be limited to any particular type of website or web server, suggesting that the compromise vector might be stolen FTP accounts.
Since the purpose of the attack is to distribute a variant of the ZeuS information stealing trojan, this theory is even more likely.
The injected code redirects visitors to a third-party page which launches PDF and Java exploits. Successful attacks install a ZeuS variant.