What does this code do?
Any Internet user who pointed their browser at the site would have the bad code downloaded and run inside their Internet Explorer or other web browser. The web browser would run this code just like all the other "good" code that shows us the text, images and links that make up the web page we're viewing. The bad code is smart. It pulls down more code from various places, jumping from China to the Ukraine and back to China. It's pretty tough for the good guys to track down the bad guys with that kind of world-hopping behavior. Here's a simple view:
During Step 3, the code tries to infect our computer, betting on the fact that our Windows software is not up to date like Microsoft warns here, or we have not updated our Adobe PDF viewer like Adobe warns here and here. In spite of these warnings from software vendors, an alarming percentage of computers remain out-of-date and vulnerable to infection.
The code in Step 3 is identified on http://www.virustotal.com/ as the (variously named) Zbot Trojan. The trojan installs a keylogger, steals sensitive data and enables fraudulent banking transactions. One thing to note in the following screenshot is that only some antivirus products detect the infection. If you were running Trend Micro or McAfee when you visited the site you would not have been protected.
http://www.virustotal.com/ analysis of the infection
So the upshot of the above is: simply browsing to the credit union website can get you infected with a trojan that steals your money.
How did the code get there?
It's likely that the company managing the website did not keep the operating system, database, web server or other software up-to-date, allowing criminals to gain administrative access to the server and insert the bad code. They need to make sure the servers are up-to-date with the latest patches from Microsoft and the other vendors, just like we need to do with our own computers.
The malicious code has been removed from the banking website we are profiling here. That doesn't mean it won't be back. Authentium continues to scan banking and shopping websites to make sure that users of our SafeCentral secure browsing service are as protected as possible. SafeCentral is designed to provide safe web transactions even if you've been unlucky enough to visit a website that has infected your computer.