Mass-injection attack (yawn) infects 1.5 million Web pages

LizaMoon is really nothing new, researchers say, but at least it has a cool name

A mass SQL injection attack that is reported to have infected as many as 1.5 million Web pages, or unique URLs, has gotten a lot of attention because of the sheer size of the attack. But researchers say that LizaMoon is not as bad as the raw numbers would indicate.

“This is pretty standard, run-of-the-mill stuff,” said Vikram Thakur, principle manager for Symantec Security Response. “A lot of the injections are happening on Web sites that stopped being maintained a long time ago,” and probably are not getting visitors.

According to the security company Websense, which first reported the outbreak, code has infected some very active Web pages, including some in the iTunes domain that apparently brought the code inside via RSS/XML feeds. But because iTunes encodes script tags, the code does not execute on the user’s computer.

Related coverage:

The cure is known, but the cyber disease persists

The malicious code, when executed, directs users to rogue antivirus sites that attempt to sell phony software to the user. These sites are known and already are blocked by Symantec, Thakur said, and the injected code also is being blocked.

Websense dubbed the attack LizaMoon because of a domain name in the script, unprecedented in scale. But the response of Rafal Los, application security evangelist for HP Software and Solutions, was: “Yawn.”

“It must have been a slow news day when this happened,” he said. A similar attack a year ago also infected hundreds of thousands of pages.

SQL injection is a common type of attack. The attack was broadcast to as many URLs as possible, and when a vulnerable site is hit the code is injected into the Web page. Although the number of URLs affected is large, that can include many separate pages within the same Web site and the number of actual sites affected probably is much smaller.

The rogue antivirus scheme is well known. When a visitor lands on the infected page the code directs the browser to the malicious site, which loads a phony dialog box alerting the user to the presence of a supposed virus that can only be removed by buying the product. In this case the alert appears to come from the Microsoft Stability Center, and the user is offered antivirus at the rate of $49.95 for a six-month license, $59.95 for a year or $79.95 for a lifetime, with lifetime support available at the bargain rate of $19.95.

“These things work,” Los said, because it is difficult to distinguish the fake dialog box from real alerts. The real issue, he said, is not a new mass injection attack that infects thousands of Web pages, but, “why are we still writing bad code” that allows the attacks to succeed?

Improvements are being made in secure software development, but new software development so far outpaces improvements in security that security cannot keep up, he warned.

Another problem, according to an HP report on the security landscape scheduled to be released April 4, is that existing vulnerabilities for which patches are available continue to be exploited by attackers.

“The attackers don’t need any more vulnerabilities to be successful,” said Dan Holden, director of HP DVLabs, because the old ones still work.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.