Around 500,000 unique URLs infected by LizaMoon

Around a half a million URLs have been compromised by a SQL injection attack method called ‘LizaMoon'.

According to Websense, LizaMoon is a mass-SQL injection attack that inserts a line into the code of the page. Detection on the number of infected pages has risen from 28,000 to 226,000 to 380,000 URLs within a matter of hours. Websense later said that the count was of unique URLs, not infected hosts, making this one of the larger mass-injection attacks it has ever seen.

Patrik Runald, senior manager of security research at Websense, said: “The injected URL is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known rogue anti-virus site. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.”

There was also an initial link made with Apple's iTunes software, with Websense saying that the RSS/XML feeds that iTunes uses to update podcasts was also compromised with the injected code. However as iTunes encodes the script tags, the script does not execute on the user's computer.

Luis Corrons, technical director of PandaLabs, said: “From my point of view this attack has two different sides: iTunes is used by millions of people all around the world, so the potential victims are way more compared to just inject code to some popular websites.

“On the other side, a question: do you know of anyone accessing iTunes with a browser? Neither do I. So while the number of potential victims is extremely high, in this case they are just potential victims and the number of real victims is probably low.

“But thinking of the worst-case scenario, imagine that the attacker is able to exploit a hole in the iTunes software itself: combined with the LizaMoon attack by injecting code in the iTunes URLs could translate in millions of infections in a matter of minutes/hours.”

Update: Websense confirmed that more than 500,000 URLs have a script link to lizamoon.com and said that it is possible that over 1,500,000 sites have a link with the same URL structure as the initial attack. It also detected that lizamoon.com was registered on 21st October, 2010 and the first confirmed case that it knew of was from December 2010, but the connection to LizaMoon was not made until this week.

It also previously said that the rogue anti-virus payload site was not working properly, but further testing shows that it now it does and the user only gets the malicious code once per IP address, so if they have already visited the site they will not get reinfected.

The rogue anti-virus software is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines.

Sign up to our newsletters