X
Tech

Lizamoon attack soars, but Oz suffers little

A massive SQL injection called Lizamoon is blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs.
Written by Darren Pauli, Contributor

A massive SQL injection called Lizamoon is blazing through the internet, infecting more than half a million domains around the world to date and as many as 1.5 million URLs.

Moon

(Moon image by Daniel R Blume, CC BY-SA 2.0)

Australia has so far escaped much of the impact, accounting for less than 1 per cent of victims according to analysis by security firm WebSense.

The attack initially hit around 50,000 domains when it emerged earlier this week, by using an automated JavaScript injection that targets vulnerable websites. Compromised sites then redirect visitors to malware- and scareware-infected domains.

The first malware-filled domain to surface was lizamoon.com, after which the attack was subsequently named. It was responsible for infecting thousands of victims, but is currently offline. Researchers have identified others that are being used in its place.

WebSense said in a blog post today that victims are being infected with malicious antivirus software called Windows Stability Center via a file that is detected by less than a quarter of antivirus engines.

The malicious script will only run once on victim's systems, based on IP addresses.

The attack had reached iTunes users earlier this week through RSS/XML feeds that had picked up compromised URLs and were displaying them. Apple users were safe, however, because iTunes encoded the script tags which prevented them running on a victim's computer.

Security researcher Dancho Danchev said in a blog that the infected domains respond to a single IP address and were all registered through fake Gmail accounts.

The attack comes days after two hackers launched a blind SQL injection attack against Sun.com and MySQL.com and obtained username and emails from internal databases.

Editorial standards