"The installed malware often enables an adversary to gain remote control over the compromised computer system and can be used to steal sensitive information such as banking passwords, to send out spam or to install more malicious executables over time."
It's also useful to know "the four prevalent mechanisms used to inject malicious content on popular websites: web server security, user contributed content, advertising and third-party widgets". As an example of widget, the study mentions a free stats counter that required users to include links to some external JavaScript files in order to monitor the traffic. At some point, the files started to include exploit code. In this case, the malware was outside the control of the webmaster, but could still be dangerous to the users.
"Examining our data corpus over time, we discovered that the majority of the exploits were hosted on third-party servers and not on the compromised web sites. The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript."
Google started to flag the web sites that try to install malware (example of query). They're still included in Google's index, but you'll have to manually copy the URL and paste it in the address bar to visit the site. Most of the pages let you download pirated software and music. Also the newest version of Google Desktop shows warnings if you visit one of these sites.
The best defense against these threats is to use more secure browsers like Firefox or Opera and to install anti-virus / anti-spyware software (Google Pack includes all of these: Firefox, Norton Security Scan and Spyware Doctor, but there other free alternatives).
{ via BBC, that hires people who don't know how to count and draw the inaccurate conclusion that "one in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC" .}
