The Register® — Biting the hand that feeds IT

Feeds

LizaMoon mass-injection attack reaches epidemic proportions

iTune URLs and 380,000 other pages poisoned

By John Leyden, 31st March 2011
  • print
  • alert

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Malware writers are using website vulnerabilities to inject malicious scripts into thousands of websites as part of an ambitious attack ultimately designed to redirect surfers to a site pimping rogue anti-virus packages.

The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code into compromised pages, as explained in an advisory by net security firm Websense here. According to a Google Search, over 380,000 URLs have been compromised, including several web locations associated with iTunes URLs, as part of the attack.

The count only looks at unique URLs, not infected hosts, a more meaningful metric. Even so the assault still counts as among the most widespread mass-injection attacks on record. The assault, first spotted on Tuesday, started off using the domain lizamoon.com, but since then other domains have been deployed in the attack.

The domains linked to the attack host basic JavaScript code that redirects surfers towards a well-known rogue anti-virus site. This trick only worked in cases where surfers first visited a compromised site. Downloading podcasts or music via iTunes was never a risk thanks to the architecture of Apple's service.

Patrick Runald, of Websense Security Labs, explained: "iTunes downloads RSS/XML feeds from the publisher to update the podcast and list of available episodes. We believe these RSS/XML feeds have been compromised with the injected code. The good thing is that iTunes encodes the script tags, which means that the script doesn't execute on the user's computer." ®

Agentless Backup is Not a Myth

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
A handle is required
Reply Icon

Well,

while software has been upgraded over the years, humans haven't been. We still make mistakes, regardless of how many safeguards are put in place.

0
0
GoD2.0

Trying to find a fix

I am now trying to work on a quick-fix for infected sites. For this I need examples of infected files. Please help by uploading your infected web-sites at http lizamoon.tenea.eu

0
0
Gilgamesh

1998 called, they want their exploit back

It's 2011, how is this even still possible?

Anyone still allowing this sort of thing to happen to their site deserves all they get.

0
0

More from The Register

breaking news
Number of cops abusing Police National Computer access on the rise
Only a telegram from the Queen can get you off it
133
breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
96
Flash flaw potentially makes every webcam or laptop a PEEPHOLE
But it's a Google problem - Chrome only, insists Adobe
59
breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
90
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
33
breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
68
breaking news
Yahoo! joins! rivals! in! PRISM! data! request! admission!
Keep calm and carry on using American tech firms, folks
41
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
30
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
17
breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
15