Millions of sites hit with mass-injection cyberattack (LizaMoon - instructions included)

Computerworld ^ | 4/01/11 | Sarah Jacobsson Purewal

[Libloather]

Millions of sites hit with mass-injection cyberattack
By Sarah Jacobsson Purewal
April 1, 2011 10:37 AM ET

PC World - Hundreds of thousands -- and possibly millions -- of websites have been hit with a cyberattack that some are calling "one of the biggest mass-injection attacks we've ever seen."

The attack was discovered on March 29 by security firm WebSense, and the injected domain was called lizamoon.com -- thus, the name of the mass-injection is "LizaMoon." According to WebSense, LizaMoon uses SQL Injection to add malicious script to compromised sites. While the first injected domain was lizamoon.com, additional URLs have since been injected in the attack (WebSense has a full list here).

The method of using an injected script redirects users to a rogue AV site, which tries to get people to install a fake anti-virus program called Windows Stability Center.

When WebSecurity discovered the attack on March 29, 28,000 URLs had been compromised. The number quickly grew to 226,000, including many iTunes URLs (though the malicious code is neutralized by Apple).

**SNIP**

The number of infected sites now appears to be over 1.5 million (at the time of this blog post, a quick Google Search shows 1.53 million infected URLs) -- but WebSense is quick to point out that a Google Search is an inaccurate metric. Google search spits back unique URLs, not unique hosts. Thus, there are likely less than 1.5 million infected sites, but WebSense says it's safe to say that the number is in the hundreds of thousands.

The attack continues to rampage across the Internet, and currently doesn't show any signs of slowing down. So don't install any web-based anti-virus software that claims your computer is full of bugs.

[Gandalf_The_Gray]

PS I forgot to say I started first thing by shutting off my router. I've got a Tripp-Lite power distribution box under my monitor with switches for all the peripherals. Makes a partial shutdown of the system very quick and easy.

GtG

[UCANSEE2]

It presents itself as "XP Anti-Spyware" , and even has Microsoft-looking logos . It says your system is vulnerable , that your firewall is down , and other insidious messages .

I had it hit me once. The 'giveaway' was that it scanned my entire hard drive (supposedly) in just a few seconds. It did look remarkably 'official', but that's just part of the game.

[mdmathis6]

In safe mode clear your internet cache as well. The fake stuff installs and keeps running from the temporary internet cache and cookie files....if you clear it early your deeper system registry and kernels won’t get corrupted or rewritten.

[Tunehead54]

Thanks - Good advice! ;-)

[ThomasThomas]

If you don’t run as an admin these types of virus can’t install. You should run as a user unless install or making changes.

[max americana]

“So don’t install any web-based anti-virus software that claims your computer is full of bugs.”

No sh*t, what gave you that idea?