Counterspin: LizaMoon Web Attacks No Big Deal?

Data from networking giant Cisco Systems is calling into question recent reports of a widespread attack, dubbed Lizamoon, that is said to have compromised millions of domains.

Data from networking giant Cisco Systems is calling into question recent reports of a widespread attack, dubbed Lizamoon, that is said to have compromised millions of domains.

In a post on Cisco’s security blog, senior security researcher Mary Landesman said that data from the company’s ScanSafe Web security infrastructure suggests that just over 1,000 Web domains have been compromised using the SQL injection attack, not the 500,000 to 1.5 million cited in published reports.

The chances of being infected by malicious code served up by the compromised domains is “negligible,” said Landesman in her post on Monday

Reports of the widespread Web attacks began circulating last week, after Web security firm Websense posted an entry on its research blog warning about “mass (SQL) injection attacks” affecting a quarter million domains. Websense cited Google search engine searches for URLs known to be associated with the compromised domains, including one registered as “lizamoon.com,” to support their data about the prevalence of infection.

News outlets, including Threatpost.com, picked up on Websense’s warnings, especially as the reported number of infected domains swelled to 1.5 million. But Landesman said that the attacks reported by Websense were neither new nor especially widespread.

Cisco had been tracking similar mass SQL injection threats since September, 2010 and identified 42 Web domains associated with the SQL injection attacks during that time. Lizamoon.com was the 41st of those 42 domains the company identified. Moreover, Cisco’s ScanSafe data suggests that most compromises were on small, low traffic “niche” content sites, further reducing the chances that casual Web surfers would come across them.

Landesman said Cisco had identified only 1,154 unique compromised Websites between September, 2010 and March 2011 that were associated with the mass SQL injection attacks. Even within those domains, the individual or group behind the SQL injection attacks is throttling the distribution of attack code, meaning just a fraction of all potentially malicious encounters actually deliver malicious code. Landesman said the “live encounter rate” is around %0.15, according to Cisco data.

“If they decided to deliver their exploits all the time, there could be an issue, but to date we have not had a problem,” Landesman told Threatpost.

Why the discrepancy? Landesman said that using Google’s search engine as a tool for spotting compromised domains is fatally flawed. First of all: search results list individual pages, not whole domains, inflating the perception of risk. Google’s search engine will also list sites that merely talk about the Lizamoon SQL injection attack – support forums blogs, news sites and the like. As word of the widespread attack spread, the number of those non-malicious hits mushroomed, turning what was a blossoming news story into what appeared to be a blossoming outbreak.

“There’s no secret that the numbers increased as interest increased,” Landesman said, noting that search results contain huge numbers of non-exact matches, especially as you get down into the list, but that neither Websense (nor the media, frankly) dug into those lists too deeply.

“Search is never a good way to ascertain the volume of anything,” she said. “Even in the
best case, with a tightly formed query, you still have to account for Web sites that were injected, but properly escaped and, therefore, are not dangerous.”

Cisco has had only a handful of detections, she said. Other firms, also, said they were seeing only low numbers of compromises related to Lizamoon. Kaspersky Lab reports just four detections from domains associated with the Lizamoon SQL injection attacks. Websense did not respond immediately to a request for comment.

Cisco said it is providing a signature for the Lizamoon SQL injection attack because of “intense media attention,” but considers the danger of infection from the attack to be extremely low.

Suggested articles

Discussion

  • Anonymous on

    I have manually disabled this scareware virus (or however you want to define it) half a dozen times, although after disabling it I scanned the computer with Malwarebites and Superantispyware.

    If you have this virus, your computer will act as if it's possessed and you will be denied access to your Task Manager. Just shut down the computer and restart it. The virus lurks in the system Startup and only takes seconds to load following a reboot (do not restart in Safe Mode). As soon as Windows has loaded, go to Start, Run and type in msconfig. Once in the System Configuration Utility, select Startup (you will only have seconds to do this and it may take several attempts to get the timing right). Once you see the list of items in Startup, look for anything suspicious, particularly in the location C:Documents and Settings. (I have always made it a habit to keep a list of items in my Startup. The easiest way to do this is to bring up the list in the Configuration Utility, and then press Print Screen; then open a new Word document and paste the image there and print it out for future reference. Note: you will need to do this each time you add a program to your Startup items.) After unchecking the suspicious item, click OK. If you unselected the correct item, your computer should boot normally. Then I suggest emptying your System Restore history. To do this, go to Control Panel, Performance and Maintenance, System, System Restore, and then check Turn off System Restore. Restart the computer (if, after restarting, you get a message about a change in your Startup items, just check the box so that it doesn't tell you again). Then go back to System, System Restore and uncheck Turn off System Restore. Restart again. Scan with Malwarebites and Superantispyware (be sure both programs have been updated first). Then, for future reference, create an updated list or screenshot of items in your Startup. (If you are still worried the virus might be lurking somewhere, scan with Spybot Search & Destroy and Microsoft Security Essentials. You could also download and run CCleaner to tidy up the items in your Startup.)

  • Janice Taylor-Gaines on

    Breaches are a fact of life:  So, how to protect yourself?  We conduct regularized, quarterly (and ad hoc) security training.  We followed this book's advice: “I.T. WARS:  Managing the Business-Technology Weave in the New Millennium."  Just Google "IT WARS" (or search Amazon) - that author has the forward view for all sorts of best practices and progressions.  My copy is dog-eared and highlighted to death.  Stay safe out there!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.