Slashdot Mirror

← Back to Stories (view on slashdot.org)

Viral Scareware Infects Four Million Websites

Posted by timothy on from the warning-your-computer-may-be-at-risk dept.

oxide7 writes "A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon."

12 of 71 comments (clear)

  1. Original post... by Zapotek · · Score: 3, Informative

    http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx

  2. more information by Anonymous Coward · · Score: 2, Interesting

    which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

    1. Re:more information by grcumb · · Score: 5, Informative

      which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

      As others have noted, the original article is much more informative.

      First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server, but because the injection seems only to work on a web app that's designed to run this DBMS in the back end, The article authors note that they don't know which application this is, however. This seems a little surprising, given that they should be able to spot the commonality between all the infected sites.

      Second, to determine whether your server is affected, just check to see whether your site now has an URL like http://domainname/ur.php. If it does, you're infected. If you run on Linux and Apache, it looks like you're safe from this particular attack.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    2. Re:more information by butlerm · · Score: 3, Insightful

      First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server

      Strictly speaking, that is true. However, SQL Server supports a multiple statement binding syntax that makes it uniquely vulnerable to these kinds of injections in poorly written programs - i.e. you can start a new SQL statement anywhere simply by injecting a semicolon followed by whatever SQL you like.

      That is why if a SQL injection attack ever affects tens of thousands of sites, it is inevitably a poorly written SQL Server application. If I were Microsoft, I would add an option to turn the traditional syntax off, deprecate it for future use, and require block syntax to process multiple statements. That doesn't eliminate the problem, but it greatly reduces the possible attack surface, and the severity of the attacks that do get through.

  3. Re:Stupid by clang_jangle · · Score: 3, Insightful

    ...breaking anti-virus barriers...

    Only people who've been thoroughly windows-indoctrinated could use terminology like that -- it actually means nothing at all, except "we don't know what we're doing here".

    --
    Caveat Utilitor
  4. Re:Stupid by Haedrian · · Score: 4, Informative

    Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.

    SQL injections and XSS attacks aren't necessarily related.

    XSS attacks require you to push the parameters in the URL itself. If an attacker modifies the SQL, they don't need to change anything, you just visit the site, and they'd change it 'server side' instead. So its much more dangerous, and there's no real way for the user to avoid it - except of course turning off scripts I would assume. And being careful about links.

  5. Re:Stupid by jd · · Score: 2

    I'd interpret it as "our firewall AV isn't stopping it", which is fine because AV software isn't a generic solution but one that detects specific, well-defined viruses. And when you shove it onto a firewall, it can't do much checking if you don't want horrible packet loss.

    What it does mean, though, is that whoever wrote the article doesn't use NIDS or HIDS (the former will detect cross-scripting attacks, the latter will detect changes to files that aren't supposed to change) but relies entirely on anti-virus software on a (probably) mis-configured firewall that (likely) is running obsolete software.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Re:Stupid by clang_jangle · · Score: 5, Funny

    "This latest viruses attack your computer's humours, exchanging it's good aire for foul and musty spirits, thus disrupting the subtle fires necessary to process your data. Most inauspicious. That's why you need Semantec's Miracle Oil, the Ninth Wonder of the Worlde!"

    --
    Caveat Utilitor
  7. Re:Stupid by cbiltcliffe · · Score: 2

    Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.

    Maybe the fake AV itself, but yesterday I downloaded (using wget, of course) the script file that redirects you to the malware site, and sent it to virustotal. Zero detections.

    --
    "City hall" in German is "Rathaus" Kinda explains a few things......
  8. Totally blown out of proportion by Trerro · · Score: 2

    The submitter clearly didn't read the damn article.

    All does does is force sites to display an ad for a trojan. It does NOT "break AV barriers" nor do absolutely anything to users who aren't stupid enough to actually install the software.

    It's still a problem, because yes, a good number of idiots will fall for it, but fake security software scams have been around pretty much since there's been banner advertising on the net.

    As for why this is hitting 4 million sites, I blame a lot of beginner tutorials, that are quick to teach people the basics of web development, but gloss over security or don't mention it at all. SQL injection is stupidly easy. Either
    A:
    -Call a function to escape all characters that could force the server to run entered code. In the extremely unlikely event that you're using a language that doesn't have a built-in function for this, it's not at all difficult to write your own (or grab someone else's).
    or
    B:
    -Make use of prepared statements, and call those instead of feeding SQL directly to the server.

    Either works. Doing neither is simply asking for it.

  9. Re:Can someone explain why this scam works? by Anonymous Coward · · Score: 2, Informative

    Scammers sometimes use "mules", people who are in desperate need of a job and agree to handle payments to "a foreign business that needs a representative in the country". They receive the money and then use something like Western Union to funnel the money to the "business"/scammers in an untraceable way. Money laundering isn't just for drug cartels anymore. If you take a stroll through your spam folder, you'll probably find a few "job offers" like that. Needless to say, this is very illegal and nobody should even consider participating in something like that, no matter how desperate they are. The mules get caught every time.

  10. Re:News? by hairyfeet · · Score: 4, Insightful

    Actually I'd say the problem isn't Windows, it is PEBKAC which NO OS will solve or they would have done so by now. I just got finished cleaning one of these scareware infections where the user uninstalled their working AV to install the malware. Now why would they do that you say? Simple, they saw the number of "infections" reported on the fake scareware page and decided their good AV must not be working (since it wasn't reporting the non existent viruses) and therefor " must have gone bad" like cheese in the fridge and tossed it to install the malware.

    Now show me ANY OS that would protect the system from that level of stupid, I dare you. You can't because idiot proofing will always be defeated by the bigger idiot. For Linux here is a nice trick, how to write a Linux virus in 5 easy steps that uses nothing but bog standard social engineering. hell it doesn't even need root to be able to do all the things your average malware writer wants to accomplish. And we know this works because they used similar methods in the KDELook attack, where thousands of KDE users were infected by fake screensavers that were actually malware. Sound familiar?

    So it is real simple folks, if the user has install rights then they have the ability to screw themselves, full stop. You can try education, making them jump through hoops like UAC or root prompts, it doesn't matter. it is the classic dancing bunnies problem where if the user WANTS the malware (and that is what it all boils down to, the malware uses fear or social engineering to convince the user they want to install the malware, a classic con game) then by God they're gonna get that malware whether you like it or not!

    So in the end you do what you can, make sure they have a backup solution, and be ready to clean up the messes when they happen. it reminds me of how an old Linux admin of mine ended up being threatened with firing and had to show up before the head of the regional office because the PHB over him was demanding he allow the PHB's emails from Melissa without interference. In the end there is only so much you can do, you just can't knock the stupid out of some folks.

    --
    ACs don't waste your time replying, your posts are never seen by me.