According to Roger Thompson on the Exploit Prevention Labs Blog, the hacker used a very popular scheme for his dirty work: he used an image background href which will prompt the user to install the malware every time it clicks outside the designated area of a certain button:

Now, we keep finding MySpace pages that have had some sort of image-background link injected, that are reaching out to a different site in China that is both throwing exploits and using social engineering to install rootkits and (probably) dns-changers.

The interesting thing about this is that rather than using an iframe for an automatic embed, as they usually do, they’ve added some sort of image background href, with a large size … 8000 by 1000 pixels, with the effect that a click that slightly *misses* a control or link on the page, ends up going to the exploit site.”

The scheme might prove very effective, given the nature of the page, Thompson stressed out:

The fact that this site is media-rich, with lots of sound and videos means that the FakeCodec trick will be much more effective. The click-er is probably expecting to see a vid, or hear a song, and is quite likely to think he genuinely needs to install something extra.”

At this time there are no known effects of the rootkit. However, be certain that they will come up given time, with infected users finding that their credit cards have been emptied or some of their accounts refuse to accept their old passwords. And there are many more possibilities, so don’t be quick on installing every codec wannabe that happens to pop up out of nowhere.