In the labs we keep a close eye on malicious injected code to legitimate Web sites, as ThreatSeeker monitors dynamically thousands of those every day. Keeping such a close eye on things reveals, from time to time, interesting findings. Last week we found a low perimeter attack of such injected code, which, as a whole, looked like a good case study. In this blog, we’re going to take a look at an injected attack from top to bottom; we’ll achieve this by dissecting the injected code, analyzing the payload site, and doing some malcode analysis on the resulting dropped malware.