Endpoint Protection

 View Only

  • 1.  Looking for Lizamoon information (Scareware outbreak 03/2011)

    Posted Apr 06, 2011 03:19 AM

    Hi, anybody knows what Symantec has on the Lizamoon threat circulating recently.

    I still don't know the name Symantec gave the threat although I read somewhere that it's a low level malware that uses SQL code injection on unpatched MS SQLs (meaning, old versions) that changes web address and adds lizamoon.com redirection to the attacked website. And that they've already had that in their defs. At least, that's how I understood it.

    Other than that, I have no clue.



  • 2.  RE: Looking for Lizamoon information (Scareware outbreak 03/2011)

    Broadcom Employee
    Posted Apr 06, 2011 03:42 AM

    I did a quick search, the website says Symantec detctes the threat however the name is not known :-)

    http://venturebeat.com/2011/04/01/huge-malware-attack-compromises-more-than-1-5-million-web-pages/



  • 3.  RE: Looking for Lizamoon information (Scareware outbreak 03/2011)

    Posted Apr 06, 2011 04:53 AM
    This contains a video on someone trying to get himself infected with the alleged worm:
     
    Incidentally, the screen GUI is similar to what I've observed 2 years ago.


  • 4.  RE: Looking for Lizamoon information (Scareware outbreak 03/2011)

    Posted Apr 06, 2011 05:03 AM

    Further reading shows that it is similar to the Gumblar attack of 09:

    http://www.symantec.com/security_response/writeup.jsp?docid=2009-051900-3410-99

    Will keep you guys posted.



  • 5.  RE: Looking for Lizamoon information (Scareware outbreak 03/2011)

    Posted Apr 07, 2011 03:34 AM

    "

    Sophos Perspective
    SophosLabs have been monitoring these attacks and have protected customers in several ways:

    detecting the fake AV pages as Mal/FakeAVJS-A
    detecting the fake AV payload as Mal/FakeAV-IP
    blocking access to the known sites used in this attack with URL filtering at the endpoint and web gateway

    Additionally, detection for web pages injected with the malicious script element has been released today as Troj/Badsrc-L.

    "

    Still looking into what Symantec has to say about this...



  • 6.  RE: Looking for Lizamoon information (Scareware outbreak 03/2011)

    Posted Apr 07, 2011 03:55 AM

    The Lizamoon SQL injection attack is not new; it’s actually part of a continuous SQLi attack that spans the past seven months. Lizamoon.com is just one of the more recent of the 40+ malware domains that have been used in the ongoing injection attacks. Here are some quick facts regarding the SQLi / Lizamoon compromises:

    • A total of 42 malware domains have been observed during the 7 months this attack has been ongoing;
    • The first encounter Cisco ScanSafe recorded was 20-sep-10 21:58:08 GMT;
    • Only 0.15% (zero point one five percent) have involved encounters with functional / active malware domains;
    • 99.85% of encounters have involved malware domains that were non-resolvable (shutdown / offline) at the time of encounter;
    • 55% of the encounters occurred on March 25th when the Lizamoon domain was added;
    • The high rate of encounters on the 25th was solely due to a single high profile website that was compromised;
    • Of the Lizamoon encounters on March 25th, only 0.13% were encounters with the live domain. 99.87% were non-resolvable (i.e. the domain was offline / not delivering content).

    Here's the current list of domains we've observed in these attacks, from September 2010 through March 31, 2011:

    agasi-story.info
    alexblane.com
    alisa-carter.com
    ave-stats.info
    books-loader.info
    eva-marine.info
    extra-911.info
    extra-service.info
    general-st.info
    google-stat50.info
    google-stats44.info
    google-stats45.info
    google-stats47.info
    google-stats48.info
    google-stats49.info
    google-stats50.info
    google-stats54.info
    google-stats55.info
    google-stats73.info
    lizamoon.com
    milapop.com
    mol-stats.info
    multi-stats.info
    online-guest.info
    online-stats201.info
    people-on.info
    pop-stats.info
    security-stats.info
    social-stats.info
    sol-stats.info
    star-stats.info
    stats-master11.info
    stats-master111.info
    stats-master88.info
    stats-master99.info
    system-stats.info
    t6ryt56.info
    tadygus.com
    tzv-stats.info
    urllizamoon--com.rtrk.co.uk
    world-stats598.info

     

    From: http://blog.scansafe.com/journal/2011/4/1/lizamoon-sql-injection-7-months-old-and-counting.html

    Thanks to: Mary Landesman