What is Lizamoon, the viral scareware that infected four million websites?

  on

A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon.

How it works

According to it the LizaMoon mass-injection is an SQL injection attack that draws users to a bogus site where they are likely subjected to a scareware attack. The SQL injection attack sets off with the insertion of a lineinto the code of the page.

This script exploits a web application vulnerability in the websites and leads users into the Lizamoon bogus website. “Certain vulnerabilities in the web systems used by sites... such as outdated CMS and blog systems” facilitate this attack, Websense said.

A scareware file is installed on the site in the process, which then beguiles the user into believing that the computer is infected with viruses by displaying a fake Trojan alert. The malicious file then sells a software to the unsuspecting customer which offers to fix the malady. Besides the money spent on the bogus scareware, the multi-stage attack compromises the system security.

Four million sites affected  

The number of websites which were compromised by letting in a script link to the bogus Lizamooon.com website started as a trickle last week when Websense reported it, but since then the numbers have swelled. As many as 500,000 websites had a link to the bogus site as of Friday, going by preliminary Google search results. But CNNMoney said the actual number of websites which have come under the attack could exceed four million now.

Alarmist reports

Early reports by Websense suggested that Apple's iTunes were also compromised by the Lizamoon scareware attack. However, the blog clarified later on that iTunes were not affected. The blog had said that several iTunes URLs had a link to the Lizamoon website, but iTunes had security settings that prevented the execution of the scripts.

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.

Apple has iTunes designed to automatically neutralize this kind of threat. That means there's zero risk of an iTunes user's computer actually getting infected by this bit of malware, CNNMoney said in a report.

Is it a serious situation?

While the threat poses a global risk and exposes security flaws in millions of websites, this attack will not have any crippling impact on businesses.

And most websites have protections in place to prevent them from getting infected in the first place. While LizaMoon has infested million of websites, security experts say it's a run-of-the-mill threat that is mostly hitting obscure, low-traffic sites, according to CNNMoney.

However, Websense has said this is the most serious attacks of its nature to have surfaced so far. It also says that the threat is going to be around for a long time. Only 17 out of 43 of the currently available antivirus engines were able to detect and neutralize the bogus scareware on Friday, web-security firm VirusTotal said.

read more >> LizaMoon: What Is It and How to Avoid It (VIDEO)

Join the Discussion