"The attack was observed on a currently running server located in China, which is serving malware," said Moshe Basanchig, an M86 Security researcher, in a blog post on Tuesday.
This code is responsible for fetching the payload in multiple chunks and assembling it back together on the client before executing it. Different pages found by M86 on the attack server exploited vulnerabilities in unpatched versions of Flash Player and Internet Explorer.
This payload fragmentation technique makes it harder for signature-based security programs to detect the attacks. Many Web filtering mechanisms are implemented as network filter drivers and monitor traffic as it passes through the network interface.
However, when there are chunks of legitimate-looking code that only become malicious when combined in the browser's memory, it's much harder to build a signature and detect the attack at network interface level.
"The main reason that malware authors use AJAX is the ability to write generic attack pages which look benign and become malicious only once the dynamic content is loaded," Basanchig said.
"This attack scenario definitely has its advantages: by passing the payload in several distinct chunks, the offending packets would likely avoid interception as they pass through the firewall," said Bogdan Botezatu, an e-threats analyst at antivirus vendor BitDefender.
However, according to Botezatu, other protection layers found in antivirus programs might detect and block the code when it gets re-assembled in memory or when it's executed. In order to avoid becoming a victim when automated detection methods fail, though, users should keep their browsers and plug-ins like Flash Player, Adobe Reader or Java, up to date.
"Last, but not least, it is essential for the user to stay away from web resources they are not familiar with, such as URLs included in spam mail," Botezatu said.