Blog

So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe containing a VML exploit.

But...what's this? Nothing happened, or so it seemed.

We were hoping to capture another onslaught of Spyware, but this malware author had something else in mind. Digging a little further, we discovered that this exploit is being used to install a new variant of a keylogger called Goldun. The attacker doesn't want you be suspicious, so they have made certain that the infection process is as unobtrusive as possible. You are given no indication that there was anything wrong with the website you just visited.

After we visit the infected site, we log into a PayPal account to show you an example of the information that can be stolen. This keylogger operates by indiscriminately capturing the entire contents of EVERY web form on any page -- all data entered into your financial, webmail, and Intranet sites can be captured. We added some commentary to the end of the video to provide a brief explanation of what happens behind the scenes.

Enjoy!

http://www.websense.com/securitylabs/images/alerts/vml-movie.wmv

WARNING:
Visiting the website shown in this video can and will infect your computer - even if you have removed vgx.dll - it contains multiple exploits, including one for an older version of Firefox. Please DO NOT visit this site.

Note on our codec choice:
We chose WMV9 because we've found it to be the only widely installed codec that keeps desktop text readable while maintaining a web-friendly file size. hint to our 'nix friends: apt-get install w32codecs