Massive ‘Lizamoon’ SQL poisoning attack infects 1m URLs

1 Apr 2011

A massive SQL poisoning attack known as the LizaMoon mass-injection campaign is spreading like wildfire and has now infected more than 1m URLs, including some belonging to Apple’s iTunes.

Websense has identified several different URLs that suggest the attack is bigger than originally thought. The infected URLs have a script link to lizamoon.com.

The security firm said a Google search revealed more than 1.5m URLs that have a link with the same URL structure as the initial attack.

Websense’s Patrick Runald said the original domain from which the attack originated was registered on 21 October last.

The first confirmed case Websense knows of occurred in December.

If a user visits an infected site rogue AV software is installed called Windows Stability Centre, which is currently only detected by 13 out of 43 anti-virus engines, according to VirusTotal.

The software then displays a warning that the are lots of problems on your PC and to fix them you have to pay for the full version of the application.

Some of the URLs hit by the attack included URLs related to iTunes but according to Runold the script was neutered by Apple.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com