Lizamoon Mass SQL-Injection: Tried and Tested Formula
Analysis: Kevin Savage
Following on from our recent blog post on malicious Web injects affecting distribution of a malicious Android application, here is a more traditional type – but on a huge scale. Those of us in the security industry are well aware of a certain email address — firstname.lastname@example.org — which registers domains consistently used in mass SQL-injection attacks against vulnerable Web applications. This mass SQL-injection of a malicious iFrame was dubbed Lizamoon (as a result of the domain name used during similar attacks back in 2011).
Although the domains have changed, the technique remains the same: exploit vulnerable sites on a large scale with an SQL-injection attack, which will then direct users to websites containing malicious code. The current wave of injection is considerable, if we base this on the search results Google has indexed:
The IP address 18.104.22.168 has been identified in the attack and has four domains currently associated with it:
If you have visited a site with the injected iFrame, the following events will take place:
The i.html file serves up two exploits:
- CVE-2010-0188 – Trojan.Pidief
If vulnerable, this exploit attempt to download and execute a file from a location which no longer resolves.
- CVE-2012-0507 – Trojan.Maljava
If vulnerable, this exploit will successfully download and execute a Backdoor.Trojan from the following URL:
We are currently analyzing this file and will provide further updates once we’ve completed the analysis.
Symantec protects you against this attack with the following IPS signatures:
- 23956 Fake App Attack: Fake AV Redirect 29
- 24024 Fake App Attack: Misleading Application File Download 3
- 24319 Fake App Attack: Fake AV Website 21
- 25559 Fake App Attack: Fake Scan Webpage 4
The exploits used in this attack are known vulnerabilities and already patched. Please ensure you apply the latest patches and have your antivirus up to date.