Live in action: botnet, fake Windows sites and keylogger

This has been occupying a lot of my attention since Friday. It started off with a message at my SpywareWarrior forum from Adam Piggott of Proactive Computing, about a spam email (screenshot) he received purporting to be from Microsoft. The email had a link to a supposed Windows update site, but, in fact, the link went to a site running the WMF exploit. On an unpatched Windows computer, the exploit hits immediately. Social engineering is also at work, urging users to click a link at the site to get Windows updates. Either way, unpatched, or patched and clicking the link, a user gets hit with a trojan downloader; in this case the trojan file name is wusetup.exe.

Note I'm using the present tense because, even though we got the first site shut down Friday evening, now another almost identical site is up and still live AFAIK.  Authorities and the ISP hosting the second site have been notified. The site is hosted in the US. I made a video (WMV) of the exploit at the first site, now shut down.

The trojan downloader pulls more malware that turns the infected machine into a proxy server and makes it part of a botnet hosted on Russian servers. The trojan also downloads a keylogger, winldra.exe, also known as W32/Dumaru and Srv.SSA-KeyLogger. This keylogger is writing information stolen from infected machines to a log on a remote server -- the same situation as described here in SunbeltBLOG's post last August when their researcher discovered the first of this new series of winldra variants.

For more details on this current exploit and botnet, see SunbeltBLOG's write up, which includes screenshots of the fake Windows update site and live botnet on the Russian server. Note - the trojan downloader file wusetup.exe is currently detected by less than half the antivirus scanners at virustotal.com. Sunbelt's screenshot here.