Categories
Xpire and Splitinfinity pulled: Many hacked servers, infection sites still left.
After submitting the Xpire/Splitinfinity report to various organisations, a co-ordinated effort has resulted in the main infection sites (ie the domains where the malware files are called from) being apparently taken offline - sp2fucked, splitinfinity and xpire are all currently out of action.
The document below has been updated to include details of another infection site - an interesting (and scary!) read:
However, the bad news is that there are still untold numbers of hacked servers out there, and (worse still) we are discovering a massive network of rogue install points, spread across numerous URLs. So even though some sites will not now hit you with the full install, you'll still be on the receiving end of a nasty payload (which changes daily).
Once we have researched these new URLs further and gathered all relevant information, we will make these new domains public. Until then, the best advice we can give is to surf sensibly, stay fully patched and use another browser.
Coverage of this event is slowly creeping across newsites and report centres - see SANS, and The Register for more information.
Though some sites are connecting this to the Bofra IFRAMES exploit, we don't currently see any concrete ties, other than they occured at roughly the same time - possibly to throw everyone off the scent.
Download the complete rundown in PDF format - detailing the server exploit, the packet injection process, the malware downloads, infected sites, how to protect your server and desktop PC:
Xpire/Splitinfinity Exploit: Server hack / Malware install analysis
Mirror, kindly hosted by Spyware Warrior.com
