Widespread LizaMoon Web Attacks Push Rogue Antivirus

Security firms are warning about a fast-spreading Web based attack that has been linked to the installation of rogue anti virus products.

Security firms are warning about a fast-spreading Web based attack that has been linked to the installation of rogue anti virus products.

More than 300,000 Web sites have been compromised in a campaign dubbed “LizaMoon,” and are now serving up malicious links to rogue antivirus products, according to security researchers at Websense.

Websense researchers wrote on Thursday that a Google search for Web sites hosting the malicious URLs identified over 1.5 million Web sites hosting the code, up from just a few thousand earlier in the week. A number of infected links are associated with podcasts on Apple’s iTunes domain, though those links have been altered to prevent them from infecting user systems. iTunes has been the subject of numerous complaints from users who have had their accounts taken over under suspicious circumstances.

The attack has targeted Web sites running on a wide variety of server platforms using so-called SQL injection attacks. SQL Injection attacks take advantage of loosely coded applications to use specially formed SQL statements to bypass security measures and modify data on vulnerable systems.

In this case, the SQL injection attacks were used to insert malicious code into back end databases,which was then served up to unsuspecting users. The attack was dubbed “LizaMoon” in recognition of a malicious Web domain, registered shortly before the attacks began, that has been used to serve up malicious links. That domain was offline at the time this report was filed, but a handful of other Web domains are mirroring the attack.

Users who click on a link to a Web site that has been compromised and injected with the malicious code, a PHP file is pushed to the user’s computer that redirects the browser to a Web site that installs rogue antivirus software known as Windows Stability Center.

SQL injection attacks have figured prominently in a number of large attacks in recent months. In June, Web servers running Microsoft’s IIS software  were attacked and injected with malicious SQL code that attempted to push malicious programs to the PCs of users who visited those sights. High profile sites, including The Wall Street Journal and Jerusalem Post were known to be affected. SQL injection also played a role in the hack of the Web site of security firm HBGary by the online prankster group Anonymous and, more recently, in a compromise of the Website for MySQL.com.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.