Rogue AV peddler behind LizaMoon SQL injection attack?

Stephen Withers
Thursday, 31 March 2011 16:19

Business IT - Security

A new SQL injection attack has compromised tens of thousands of URLs according to a security vendor. The attack was initially used to push rogue AV malware.

Websense Security Labs officials say they have discovered a new SQL injection attack that has compromised more than 28,000 URLs, including some on iTunes. At the time of writing the number appeared to have increased to more than 80,000, though a (presumably small) proportion of those would be pages describing the attack itself rather than compromised pages.

The attack has been dubbed LizaMoon because it uses a script hosted at lizamoon.com, a domain recently registered with fake contact information.

WebSense officials suggested the iTunes URLs were affected by attacking podcast publishers' RSS feeds, and noted that the way Apple encodes script tags prevents the scripts from running on the target computer.

In situations where it did run, the script redirected to "a well-known rogue AV site," they said.

Both the site hosting the script and the rogue Av site are now said to be unreachable.

SQL injection attacks rely on poor coding practices that allow commands to be executed by including them in strings such as search parameters. There have been suggestions that some of the affected sites were using third-party routines that were vulnerable to the attack.