Last night our Hunting Pots found this in use in the wild at some of the St Petersburg iframers sites installing rootkits and who knows what else, and this morning, we found it in use at the CWS sites. It infects a fully patched XP SP2 quite nicely.
The CWS people have only been using WMF since december/ january, and have a very big, well-established network for drawing in victims. Imo, this represents a significant escalation.
The last time I examined it in detail, the CWS guys make money by selling their search engine to minor website operators with a pitch along the lines of “Pay us $100 per month, and we’ll guarantee 80m visitors each month”.
Then when a victim visits one of their exploit sites, they install a URL-visiting program and a list of URLs. The URL-visitor then visits each customer website in turn, forging the headers to make it look like a real visitor referred by the bogus search engine.
The minor website operator sees his 80m visitors a month, but doesn’t realize that they are just pcs…. no human eyes at all.
If they could make money with WMF, they’ll be rich from this one.