I know this sort of attack has been around for a while, but perhaps not quite in this way and not quite as many servers were affected, but there is a report over at SANS talking about an XSS VBScript malware that injects malware. Ben Heinkel alerted me to it and actually put up two screenshots here and here showing how the code actually worked. Pretty nasty stuff, especially as it appears there is no virus definition for this particular variant yet.
However, there are two things about this that are more interesting from an attack perspective. The first is that this was not calling malware that was uploaded to the site that had been compromised. Why bother? Since the sites themselves had XSS holes on them (I’m assuming persistent) the only requirement was that the executable and VBScript was housed somewhere on the Internet. No longer do you have to upload your malware to the machine you want to infect people from. Who needs all that hassle when all you really want to do is link to it?