Our friends at Websense have recorded what happens when a workstation visits an infected site exploiting the current VML issue. They did a similar video when the WMF zero-day was released and their workstation was instantly flooded with Spyware applications and pop-ups galore. It was an impressive sight and obvious that they had just visited an infected site.
From the site:
So, we fired up our trusty video capture tools and pointed a VMWare workstation at a random site where our miners had recently discovered an iframe containing a VML exploit.
But…what’s this? Nothing happened, or so it seemed.
We were hoping to capture another onslaught of Spyware, but this malware author had something else in mind. Digging a little further, we discovered that this exploit is being used to install a new variant of a keylogger called Goldun. The attacker doesn’t want you be suspicious, so they have made certain that the infection process is as unobtrusive as possible. You are given no indication that there was anything wrong with the website you just visited.
After we visit the infected site, we log into a PayPal account to show you an example of the information that can be stolen. This keylogger operates by indiscriminately capturing the entire contents of EVERY web form on any page — all data entered into your financial, webmail, and Intranet sites can be captured. We added some commentary to the end of the video to provide a brief explanation of what happens behind the scenes.