Lizamoon SQL injection attack spreading

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

 

Attack linked to iTunes spreads across Web

'LizaMoon' malware redirects Web surfers to a rogue antivirus website


Computer criminals are injecting malicious
code into hundreds of thousands of Web
pages, including several associated with
iTunes, in a stealthy attempt to trick users into
purchasing rogue antivirus software.

The malware campaign, dubbed “LizaMoon ”
by the security firm Websense, redirects Web
surfers to a rogue antivirus website via
malicious JavaScript code injected into Web
pages.

Discovered on March 29, LizaMoon was
initially spotted on 28,000 Web pages, many of
which were associated with iTunes RSS and
XML feeds — pages used to update podcasts.
According to a Google search, more than
380,000 Web pages are now compromised.

Like all scareware ploys, LizaMoon tries to
convince users they have a computer virus
that can only removed by purchasing (fake)
antivirus software.

What makes LizaMoon particularly dangerous
is that users who stumble on a corrupted Web
page would not necessarily know they’d been
infected — simply visiting a genuine-looking
Web page could land users in trouble.

There is some good news for iTunes users,
however. Apple prevents the malicious
LizaMoon code from automatically executing
on users’ computers.

http://www.msnbc.msn.com/id/42361792/ns/technology_and_science-security/#

 

Massive SQL Injection Attack - ArsTechnica

 

.

Currently the LizaMoon re-directs are not working because the sites peddling the bogus software have been shut down.



BBC News Technology
1 April 2011 Last updated at 05:34 ET

Sites hit in massive web attack


Hundreds of thousands of websites appear to have been compromised by a massive cyber attack.

The hi-tech criminals used a well-known attack vector that exploits security loopholes on other sites to insert a link to their website.

Those visiting the criminals' webpage were told that their machines were infected with many different viruses.

Swift action by security researchers has managed to get the sites offering the sham software shut down.

full story here:

http://www.bbc.co.uk/news/technology-12933053

 

Neat article on a fake anti-virus!

http://windowssecrets.com/2011/04/07/01-LizaMoon-infection-a-blow-by-blow-account

 

Re: Neat article on a fake anti-virus!

'LizaMoon' is a SQL injection attack, after website infection the rouge is offered as a download.

 

Those who have followed exploits over the years will realize that this is nothing new.

From as far back at least to 2006, I've seen similar tricks. One was RegClean, where the fake "page" was a pop-over gif image that was a hyperlink, meaning that clicking anywhere triggered a remote code execution download (drive-by) of the rogue security product:

http://urs2.net/rsj/computing/tests/regclean

Today's exploits favor the social engineering tricks over the drive-by exploit, to bypass any security that would block the drive-by execution.

As then, the preventative measures now, are not to be swayed by popup alerts that indicate multiple infections have occurred. This, of course, requires the user to be confident in her/his security measures in place, and to know how to double-check such things!

regards,

-rich