LizaMoon: Scareware Attack Hits 1.5 Million Websites
LizaMoon Mass-Injection Attack Touts 'Windows Stability Center' Malware
There's a mass-injection attack spreading across the web called LizaMoon. LizaMoon hijacks visitors to infected sites and reroutes them to a scareware site. The attack adds code to the targeted site which causes the redirect. Oddly, the redirect only occurs once per IP address: if you get rerouted and don't take the bait, your next visit to the infected site will be uninterrupted.
Once redirected to the scareware site, the user is presented with a popup window that says that the computer is at risk. Clicking OK takes the user to "Windows Stability Center", which performs a fake scan of your system.
There's no such thing as Windows Stability Center: this is just a series of JS executions, and not a real depiction of the user's machine. Once the fake-ass scan is done, the user is prompted to remove the "viruses". Clicking Remove All will, of course, install malware. Pwned.
Web security firms are not yet sure which vulnerablity is being exploited in the LizaMoon attack, which is named after the first site to have been compromised. Antivirus products are not widely recognizing the Windows Stability Center malware.
List of Infected Sites
WebSense is builing a list of infected sites, but the number is astronomical-- and still growing. LizaMoon has not been contained. URLs associated with the iTunes Music Store have been infected.
Let's turn it over to WebSense:
Q: How many sites have been affected by this?
A: It's really hard to say. Google Search indicates it's over 1.5 million URLs but that number could be over-inflated. It's safe to say it's in the hundreds of thousands.
Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.
The domains used in this attack, including the redirect URLs and the server where the malware is hosted, are all associated with one of four IP addresses, according to Dancho Danchev, an independent security expert. While the 20 or so domains being used as the redirect URL rotate between two IP addresses, Danchev has identified more than 120 India-based or Cocos Island-based domains all pointing to one malware host server, and 50 India-based domains going to another.