Huge malware attack compromises more than 1.5 million web pages

April 1, 2011 2:07 PM
Dean Takahashi
Add a Comment

A ton of web pages  have been compromised by a huge malware attack dubbed LizaMoon.

The attack shows that malware is a bigger menace than ever and that many web sites aren’t protected.

More than 500,000 pages have been compromised and are linked to a site called lizamoon.com, but more than 1.5 million web URLs also appear to be compromised in a similar way. The attack is still proceeding unabated, according to Websense Security Labs.

Dave Marcus, director of security research and communication on McAfee Labs, said, “This type of threat vector is common and actually happens all the time, however it’s not always on this scale. There are many tools that exist currently that do this in an automated fashion.”

The attack is an SQL injection attack, which exploit badly written web applications and mess up a web site’s databases. Through programming errors, SQL injection attacks can be launched in any programming language. The underlying cause is that a programmer trusts input that comes from another web page. The input is passed along directly into the database; if the input is malformed in a particular way, the result is the database will run code of the attacker’s choosing.

The result of the attacks is that the web pages being visited aren’t being loaded. Previously, the attack was redirecting users to a fake antivirus site. Websense noticed the attack starting on Tuesday, when 28,000 URLs were already compromised.

There are a number of pages on Apple’s iTunes store that are also infected, since Apple gets RSS feeds from podcasters who have been infected. These kinds of attacks have been happening for six months or more. Symantec’s Vikram Thakur, principle security response manager, says the LizaMoon SQL injection attack is unsophisticated and affects vulnerable web pages, many of which are not managed and are considered out-of-date. Hence, while there are a lot of compromised web pages, they may not be getting much traffic. Symantec says its antivirus products can detect the problem.

[photo credit: mac forensics lab]

  • http://adsenseactive.com/ web marketing

    Can anyone say… Apple's Quicktime O-day exploit?

  • http://www.computerrepairspro.net David Perry

    I have several websites that were infected with Malware on April 5th, 2011. However I did not realize that my websites were compromized until 2 weeks later when I was trying to show my site to a friend and I saw the google malware alert. Now I think the name of the malware was a little different, something like albetternet and when I tried to download the infected site files from my ftp my pc antivirus detected something like whitehous.org. 2 of my sites had wordpress and I found that even my database was infected. I am not sure if this was a result of some of my ads on craigslist that took people to my websites, where someone was able to insert malicious code via a wordpress comments, or if they simply guessed my web hosts ftp account credentials and infected me that way. I ended up having to delete all my website files and reload them from a backup. I also needed to restore my wordpress databases. I also found out later how to clean the compromized files, but not the database. Now if your websites get hacked, please contact me and I will help you to clean them. I'll also help you report to Google so they can remove the blocks. I am also offering a service where I can backup your website and monitor it, the same way I am now doing with my own sites. I am also very good at removing fake antivirus program and malware from any PC's

blog comments powered by Disqus