Websense analyzes Web-Attacker. Web-Attacker is the most popular toolkit for building malicious sites. It's supposedly used by one third of the malicious sites discovered:
Dear Friends! We would like to offer you multi-component exploit Web-Attacker, that realizes vulnerabilities in the interne browsers Internet Explorer and Mozilla Firefox. With the help of this exploit you will be able to install any programs on the local disks of visitors of your web pages. In the foundation of work of the exploit Web-Attacker, there are 7 already-known vulnerabilities in the internet browsers.
Objective of the Exploit: Hidden drop of the executable from the deleted source to the local hard drive of the site visitor.
It costs $300 and provides a few files to help you build your own malicious site. Just provide a malware, a keylogger or whatever you want to infect your visitors with.
Websense explains how the toolkit works: a php file is to be hidden in a iframe to start the attack. It will then call a perl cgi script which will try to detect what exploit should be used on the victim's computer.