After submitting
the Xpire/Splitinfinity
report to various organisations, a co-ordinated effort has resulted
in the main infection sites (ie the domains where the malware files are
called from) being apparently taken offline - sp2fucked, splitinfinity and
xpire are all currently out of action.
However, the bad news is that there are still untold numbers of hacked servers
out there, and (worse still) we are discovering a massive network of rogue
install points, spread across numerous URLs. So even though some sites will
not now hit you with the full install, you'll still be on the receiving
end of a nasty payload (which changes daily).
Once we have researched these new URLs further and gathered all relevant
information, we will make these new domains public. Until then, the best
advice we can give is to surf sensibly, stay fully patched and use
another browser.
Coverage of this event is slowly creeping across newsites and report centres
- see SANS,
and The
Register for more information.
Though some sites are connecting this to the Bofra
IFRAMES exploit, we don't currently see any concrete ties, other than
they occured at roughly the same time - possibly to throw everyone off the
scent.
The document
below has been updated to include details of another infection site - an
interesting (and scary!) read:
DOWNLOAD:
Download the complete rundown in PDF format - detailing the
server exploit, the packet injection process, the malware downloads, infected
sites, how to protect your server and desktop PC:
Xpire/Splitinfinity Exploit: Server hack / Malware install
analysis
Mirror,
kindly hosted by Spyware Warrior.com
Paperghost
Please
help spread the word by placing a link to this article on your sites. As
much exposure as possible is needed here.
