It's gotten to a point where it's just not safe to browse the web. You no longer even have to click on an ad to become infected, and it doesn't even need to be a suspicious looking ad. Legitimate web sites are playing these ads that infect your computer. Sites like New York Times, Yahoo, Fox, and yes, even some Google pages! http://news.cnet.com/8301-27080_3-20000898-245.html?tag=newsLeadStoriesArea.1
Antivirus prevents some malware, but not all. It's also a losing battle, since some of these things change their signature hourly. How often does your antivirus update? Remember to factor in the time for the antivirus authors to discover, fix, test, and issue a new patch.
Am I wrong in thinking that to have your computer infected with a virus something needs to be uploaded to your computer? The article mentioned something about a JavaScript code. Could that not be recognized and aborted? That way a real person does not have to identify it as malicious.
All I'm saying is there is no "sure-fire" way to avoid malware (virus/trojan/worm/adware). Every precaution you take reduces the risk, but never assume your computer can't get infected.
According to the article, this particular trojan searches for vulnerabilities in whatever can interpret the javascript (Adobe Reader, Flash Player, etc). So, to stop this particular trojan, if it's embedded in a file, antivirus may be able identify it. If it's on the web, you'd need some kind of anti-virus scanner that watches your TCP stream. As far as I know, none do. For that delivery method, you'd need to have all the exploitable apps patched sufficiently to close the vulnerabilities before they can be exploited.
In all of these cases, it requires the fore-knowledge of (a) what the attacking script attacks and how it does it, and for the antivirus (b) a "signature" that catches this exact attack and ones like it.
My point was that the attackers will ALWAYS be ahead of the defenders, since clairvoyant software hasn't been invented. So while this particular attack from the article (JS:whatsit or whatever Avast named it) can be stopped, it doesn't mean you're suddenly safe from all trojan-embedded advertisements. We can't possibly know all the ways malicious code will manifest.
I don't disagree with you. I just thought there would be a way to protect against these types of things. Though, as you said, they change all the time.