A ton of web pages have been compromised by a huge malware attack dubbed LizaMoon.
The attack shows that malware is a bigger menace than ever and that many web sites aren’t protected.
More than 500,000 pages have been compromised and are linked to a site called lizamoon.com, but more than 1.5 million web URLs also appear to be compromised in a similar way. The attack is still proceeding unabated, according to Websense Security Labs.
Dave Marcus, director of security research and communication on McAfee Labs, said, “This type of threat vector is common and actually happens all the time, however it’s not always on this scale. There are many tools that exist currently that do this in an automated fashion.”
The attack is an SQL injection attack, which exploit badly written web applications and mess up a web site’s databases. Through programming errors, SQL injection attacks can be launched in any programming language. The underlying cause is that a programmer trusts input that comes from another web page. The input is passed along directly into the database; if the input is malformed in a particular way, the result is the database will run code of the attacker’s choosing.
The result of the attacks is that the web pages being visited aren’t being loaded. Previously, the attack was redirecting users to a fake antivirus site. Websense noticed the attack starting on Tuesday, when 28,000 URLs were already compromised.
There are a number of pages on Apple’s iTunes store that are also infected, since Apple gets RSS feeds from podcasters who have been infected. These kinds of attacks have been happening for six months or more. Symantec’s Vikram Thakur, principle security response manager, says the LizaMoon SQL injection attack is unsophisticated and affects vulnerable web pages, many of which are not managed and are considered out-of-date. Hence, while there are a lot of compromised web pages, they may not be getting much traffic. Symantec says its antivirus products can detect the problem.
[photo credit: mac forensics lab]