SQL Injection Attack 'LizaMoon' Claims More Web Sites


Researchers at Websense have dubbed the attack “LizaMoon” after the first domain victims were redirected to. Once on the redirected site, users were hit with a fake anti-virus scam. When Websense first detected the attack March 29, its researchers counted 28,000 compromised URLs. Since then, the amount has skyrocketed.

“All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack,” Patrik Runald, senior manager of security research at Websense, wrote in a March 31 blog post. “Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down.”

The rogue anti-virus at the center of the attack is called Windows Stability Center.

“The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again,” blogged Patrik Runald, senior manager of security research at Websense. “This is something we see often in attacks, especially in exploit kits.”

Sponsored post

According to Websense, roughly 47 percent of the users going to the LizaMoon domain as of March 31 were in the U.S. The company said it is still examining how the SQL injections are happening. “We have been contacted by people who have seen the code in their Microsoft SQL databases,” Runald wrote. “So far we have only had reports of Microsoft SQL Server 2003 and 2005 being affected, so if you have any information that says that 2008 has been hit as well, we'd like to know about it.”

Still, Runald blogged that researchers do not believe the issue is a vulnerability in SQL Server 2003 and 2005, as there are vulnerabilities in the Web systems used by the impacted sites, such as outdated CMS and blog systems.

In addition to LizaMoon, there are a number of other domains involved in the attack as well, including tadygus.com and google-stats49.info. That last domain may be meant to fool people using script blockers such as NoScript for FireFox into allowing malicious code to run, explained Richard Wang, manager for Sophos’ research arm SophosLabs US.

“The widespread nature of it strongly suggests that the attackers are using a mass attack, probably from a botnet, to attack many thousands of sites without first identifying whether the site is vulnerable,” Wang said. “If the attack succeeds they are happy, if not they simply move on to attack the next site.”