Counterspin: LizaMoon Web Attacks No Big Deal?

Data from networking giant Cisco Systems is calling into question recent reports of a widespread attack, dubbed Lizamoon, that is said to have compromised millions of domains.

Data from networking giant Cisco Systems is calling into question recent reports of a widespread attack, dubbed Lizamoon, that is said to have compromised millions of domains.

In a post on Cisco’s security blog, senior security researcher Mary Landesman said that data from the company’s ScanSafe Web security infrastructure suggests that just over 1,000 Web domains have been compromised using the SQL injection attack, not the 500,000 to 1.5 million cited in published reports.

The chances of being infected by malicious code served up by the compromised domains is “negligible,” said Landesman in her post on Monday

Reports of the widespread Web attacks began circulating last week, after Web security firm Websense posted an entry on its research blog warning about “mass (SQL) injection attacks” affecting a quarter million domains. Websense cited Google search engine searches for URLs known to be associated with the compromised domains, including one registered as “lizamoon.com,” to support their data about the prevalence of infection.

News outlets, including Threatpost.com, picked up on Websense’s warnings, especially as the reported number of infected domains swelled to 1.5 million. But Landesman said that the attacks reported by Websense were neither new nor especially widespread.

Cisco had been tracking similar mass SQL injection threats since September, 2010 and identified 42 Web domains associated with the SQL injection attacks during that time. Lizamoon.com was the 41st of those 42 domains the company identified. Moreover, Cisco’s ScanSafe data suggests that most compromises were on small, low traffic “niche” content sites, further reducing the chances that casual Web surfers would come across them.

Landesman said Cisco had identified only 1,154 unique compromised Websites between September, 2010 and March 2011 that were associated with the mass SQL injection attacks. Even within those domains, the individual or group behind the SQL injection attacks is throttling the distribution of attack code, meaning just a fraction of all potentially malicious encounters actually deliver malicious code. Landesman said the “live encounter rate” is around %0.15, according to Cisco data.

“If they decided to deliver their exploits all the time, there could be an issue, but to date we have not had a problem,” Landesman told Threatpost.

Why the discrepancy? Landesman said that using Google’s search engine as a tool for spotting compromised domains is fatally flawed. First of all: search results list individual pages, not whole domains, inflating the perception of risk. Google’s search engine will also list sites that merely talk about the Lizamoon SQL injection attack – support forums blogs, news sites and the like. As word of the widespread attack spread, the number of those non-malicious hits mushroomed, turning what was a blossoming news story into what appeared to be a blossoming outbreak.

“There’s no secret that the numbers increased as interest increased,” Landesman said, noting that search results contain huge numbers of non-exact matches, especially as you get down into the list, but that neither Websense (nor the media, frankly) dug into those lists too deeply.

“Search is never a good way to ascertain the volume of anything,” she said. “Even in the
best case, with a tightly formed query, you still have to account for Web sites that were injected, but properly escaped and, therefore, are not dangerous.”

Cisco has had only a handful of detections, she said. Other firms, also, said they were seeing only low numbers of compromises related to Lizamoon. Kaspersky Lab reports just four detections from domains associated with the Lizamoon SQL injection attacks. Websense did not respond immediately to a request for comment.

Cisco said it is providing a signature for the Lizamoon SQL injection attack because of “intense media attention,” but considers the danger of infection from the attack to be extremely low.

Suggested articles