DOWNLOAD:
Download the complete rundown in PDF format - detailing the
server exploit, the packet injection process, the malware downloads, infected
sites, how to protect your server and desktop PC:
Xpire/Splitinfinity Exploit: Server hack / Malware install
analysis
Mirror,
kindly hosted by Spywarewarrior.com
We have discovered that a group of hackers (perhaps even a criminal gang)
is hacking web servers all over the Net and installing root kits that dynamically
inject code into the pages served from the compromised web servers. The
injected code effectively serves as a "front door" to a number
of different pages at these domains:
sp2fucked.biz
splitinfinity.info
xpire.info
Similar to Download_Ject, only this time it works on Apache
Servers rather than Windows.
Using Iframes, a number of sites install anything up to
8MB worth of exploits on a users machine - viruses, trojans, scripts, malware
packages - you name it, you'll end up with it.
Several other domains are used in that installation/exploit
process, including:
69.50.168.147
195.178.160.30
213.159.117.133
b00gle.info
coolsearch.biz
newiframe.biz
pizdato.biz
Fair warning: do NOT visit any of these domains unless your
box is well defended and updated, and you are prepared to deal with the
unexpected.
The software
installed on a users' PCs appears to vary. Sometimes the exploit pages listed
above push porn dialers onto victims' PCs; other times a whole host of spyware
and adware packages is installed. The packages that we've seen installed
via this exploit include:
180solutions
BlazeFind
BookedSpace
BullsEye Networks
CashBack (Bargain Buddy)
ClickSpring
CoolWebSearch
DyFuca
Hoost
IBIS Toolbar
Internet Optimizer
ISTbar
Power Scan
SideFind
TIB Browser
WebRebates (TopMoxie)
WhenU (VVSN)
Window AdControl
WindUpdates
YourSiteBar
There have
been a few other public discussion threads on the Net about this exploit.
In particular, see:
Spyware
Warrior Weblog
Ben
Edelman.org
DSL
Reports
The worst thing is, these malware installations are just
a front for massive sets of zombie boxes, and they're getting ready to point
them somewhere. If you're an admin of an Apache box, PLEASE ensure that
you are fully patched, especially in the area of OpenSSL exlpoits.
More will likely be made public in the coming weeks, but
the infection is making its way round many home users PCs, and if you end
up being hijacked, nothing short of a reformat will remove the garbage from
your system.
IE-Spyad will
block the domains listed:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
We will be
posting regular updates on this as we get them - please keep checking back
for more information.
Paperghost
Please
help spread the word by placing a link to this article on your sites. As
much exposure as possible is needed here.
