October 24, 2014

SQL injection Attack Hits Over 1 Million ASP.NET Pages (and Counting)

(LiveHacking.Com) – An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.

Infected sites carry invisible links to sites including jjghui.com and nbnjkl.com. These sites in turn redirect to several other websites, including www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.

This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:

Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us

One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:

“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Sites can be scanned to make sure they are clean (or not) at http://sitecheck.sucuri.net

LizaMoon SQL-injection Attack Not as Large as First Thought

Over the last few days, the Internet has been throbbing with news of an SQL-injection attack dubbed LizaMoon which was reported to have infected hundreds of thousands of web pages including iTunes. However these numbers were calculated using Google’s search engine and the number of results available for web pages with the relevant terms in them. Now PCPro has been speaking to a Google engineer and it seems the damage might not be as bad as first thought.

Niels Provos, a principal engineer at Google, has counted the sites with a functioning reference, leaving out those that had the code but didn’t actually redirect users. What he found is that the Lizamoon attack actually peaked in October with 5,600 infected sites, but is currently “undergoing a revival”.

On 29th March 2011 Websense reported that according to a Google Search, over 226,000 URLs have been compromised. This included several iTunes URLs. On the 31st March they reported that a search on Google returns more than 1,500,000 results that have a link with the same URL structure as the initial attack.

However they did mention that “Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”

Using the same search today Google reported 4,670,000 results!

The attack is named LizaMoon after one of the URLs that are injected into web sites. These rogue URLs redirect users to scareware sites which generate messages warning the user that their computer is infected with viruses, and offers to sell them antivirus software.