Lizamoon Strikes MillionsSQL Inject Dubbed 'Most Successful'
In his blog, which posted late Thursday, Runald writes that, based on Google Search results, more than 500,000 URLs have a script link to lizamoon.com. Websense Labs identified other URLs that are injected in the exact same way, so the attack is even bigger than the security firm originally thought.
"Google Search results aren't always great indicators of how prevalent or widespread an attack is, as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down," Runald writes.
The domain lizamoon.com was registered March 26. Users who visit the malicious site, after clicking links on legitimate but infected sites, are told their machines are infected with non-existent viruses; users are then asked to download a fake anti-virus software called Windows Stability Center. "To fix them you have to pay for the full version of the application," Runald writes. "Very traditional rogue AV scam."
Early reports suggested the attackers were hitting sites using Microsoft SQL Server 2003 and 2005. Weaknesses in Web application software could be to blame.
Among the URLs infected is the one for iTunes catalogue page displaying podcast information. "The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer," Runald wrote. "So good job, Apple."
Sites hosting the malicious software have since been shut down.