Lizamoon SQL injection attack spreading

Discussion in 'malware problems & news' started by axial, Mar 31, 2011.

Thread Status:
Not open for further replies.
  1. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
    http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
     
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Attack linked to iTunes spreads across Web

    'LizaMoon' malware redirects Web surfers to a rogue antivirus website


    Computer criminals are injecting malicious
    code into hundreds of thousands of Web
    pages, including several associated with
    iTunes, in a stealthy attempt to trick users into
    purchasing rogue antivirus software.

    The malware campaign, dubbed “LizaMoon ”
    by the security firm Websense, redirects Web
    surfers to a rogue antivirus website via
    malicious JavaScript code injected into Web
    pages.

    Discovered on March 29, LizaMoon was
    initially spotted on 28,000 Web pages, many of
    which were associated with iTunes RSS and
    XML feeds — pages used to update podcasts.
    According to a Google search, more than
    380,000 Web pages are now compromised.

    Like all scareware ploys, LizaMoon tries to
    convince users they have a computer virus
    that can only removed by purchasing (fake)
    antivirus software.

    What makes LizaMoon particularly dangerous
    is that users who stumble on a corrupted Web
    page would not necessarily know they’d been
    infected — simply visiting a genuine-looking
    Web page could land users in trouble.

    There is some good news for iTunes users,
    however. Apple prevents the malicious
    LizaMoon code from automatically executing
    on users’ computers.

    http://www.msnbc.msn.com/id/42361792/ns/technology_and_science-security/#
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Massive SQL Injection Attack - ArsTechnica
     
  4. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    .

    Currently the LizaMoon re-directs are not working because the sites peddling the bogus software have been shut down.



    BBC News Technology
    1 April 2011 Last updated at 05:34 ET

    Sites hit in massive web attack


    Hundreds of thousands of websites appear to have been compromised by a massive cyber attack.

    The hi-tech criminals used a well-known attack vector that exploits security loopholes on other sites to insert a link to their website.

    Those visiting the criminals' webpage were told that their machines were infected with many different viruses.

    Swift action by security researchers has managed to get the sites offering the sham software shut down.

    full story here:

    http://www.bbc.co.uk/news/technology-12933053
     
  5. ratchet

    ratchet Registered Member

    Joined:
    Feb 20, 2006
    Posts:
    1,908
  6. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Re: Neat article on a fake anti-virus!

    'LizaMoon' is a SQL injection attack, after website infection the rouge is offered as a download.
     
  7. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,938
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic!
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Those who have followed exploits over the years will realize that this is nothing new.

    From as far back at least to 2006, I've seen similar tricks. One was RegClean, where the fake "page" was a pop-over gif image that was a hyperlink, meaning that clicking anywhere triggered a remote code execution download (drive-by) of the rogue security product:

    http://urs2.net/rsj/computing/tests/regclean

    Today's exploits favor the social engineering tricks over the drive-by exploit, to bypass any security that would block the drive-by execution.

    As then, the preventative measures now, are not to be swayed by popup alerts that indicate multiple infections have occurred. This, of course, requires the user to be confident in her/his security measures in place, and to know how to double-check such things!

    regards,

    -rich
     
    Last edited: Apr 7, 2011
Loading...
Thread Status:
Not open for further replies.