'LizaMoon' Mass SQL Injection Attack Escalates Out of Control - eWeek.com
A mass SQL
injection attack that initially compromised 28,000 Websites has spiraled out of
control. At the last count, more than a million sites have been compromised,
with no end in sight.
Security firm
Websense has been tracking the "LizaMoon" attack since it started March 29. The
company's malware researchers dubbed the attack LizaMoon after the first domain
that victims were redirected to. At the redirected site, users saw a warning
dialog that they had been infected with malware and a link to download a fake
antivirus.
The users are
shown a number of threats supposedly on their computer, but the fake AV,
Windows Stability Center, won't remove them until the user pays up, in a "very
traditional rogue AV scam," wrote Patrik Runald, the Websense researcher who
has been following the attack over the past few days.
The list of
redirect URLs has ballooned in the days since, as Websense updated its list
March 31 with 20 additional sites, making this one of the biggest mass-injection
attacks ever. 
More than
500,000 URLs have been injected with LizaMoon, according to Runald. If all the
domains used in the attack are considered, eWEEK found about 2.9 million
results on Google Search that have been compromised.
"Google Search
results aren't always great indicators of how prevalent or widespread an attack
is as it counts each unique URL, not domain or site," Runald said. It is safe
to consider hundreds of thousands of domains have been hit, he said.
Websense
researchers are still trying to figure out how the SQL injection attack is
happening. Somehow, legitimate Websites have been compromised in a way that one
line of code has been embedded on the site. That code is a simple redirect, and
executes when the user loads the page. The bulk of the action happens on the
redirected page, where a script containing Javascript code kicks off the fake
AV scam.
Commenters
asked Websense why researchers were so convinced it was a SQL injection on
multiple Websites and not a mass cross-site-scripting attack. The researchers
said they'd been contacted by people who have seen the code in their Microsoft
SQL Server 2003 and 2005 databases. The vulnerabilities weren't within the
database software, but "most likely in the Web systems used by these sites,
such as outdated CMS and blog systems," Runald said.
Considering
the large number of sites infected, users all around the world are affected,
with victims in the United Kingdom, Kuwait, India, Australia, Turkey, Brazil,
Israel, Mexico, Taiwan and Chile, among others, according to figures from
Websense Threatseeker Network. The bulk of the victims, at 47 percent, appear
to be from the United States.
The domains
used in this attack, including the redirect URLs and the server where the
malware is hosted, are all associated with one of four IP addresses, according
to Dancho Danchev, an independent security expert.
While the 20 or so domains being used as the redirect URL rotate between two IP
addresses, Danchev has identified more than 120 India-based or Cocos Island-based
domains all pointing to one malware host server, and 50 India-based domains
going to another.
The domains
have all been registered using automatically registered accounts at Gmail,
Danchev said. The first domain on the list was registered as far back as
October 2010, and new domains have been added since LizaMoon exploded,
according to Runald.
First, the
good news: Users are hit with the Windows Stability Center scam only once, so
visiting the site repeatedly doesn't repeat the attack.
The bad news:
Not many antivirus programs seem to be able to detect the Windows Stability
Center. VirusTotal is a service that checks malware samples against 43 major
antivirus products to see which products can detect it. As of April 1, only 17 out of the 43 tested block Windows Stability
Scanner. At least, security companies are moving on this threat: It was only 13 out of 43 March 31.
