Joe Stewart is the man . . . I have a ton of respect for him and everyone at Team Cymru. They teamed up to find the C&C for the Mega-D trojan and Joe has done another one of his excellent write-ups here: http://www.secureworks.com/research/threats/ozdok/?threat=ozdok
What I find interesting is:
Joe doesn't explicitly link Ozdok / Mega-D to any particular web based 0-day but there have been a number of 0-day's in various products in recent months that could have been used to infect these 35,000 machines (Acrobat, QuickTime etc.).
Here's the recipe for disaster:
The bad guys compromise a legitimate Apage / PHP server and set it up to serve up the exploit + malware payload . . . BUT they can make the PHP pages they upload only hand out the exploit a certain number of times to a given IP address or they can make it only hand out the exploit + payload if you click through to the page from a search engine result or a combination of both to make it harder for first responders to figure out where it came from. The bad guys can purchase or download all of the major AV packages and continually refine their malware until it is no longer detected by any of them (and in fact they probably automate this process!).
A strange game - the only winning move is not to play.