An engineer from Google says Websense’s method of measuring the scale of the attack is inaccurate
The SQL injection attack known as LizaMoon may not be as widespread as was first thought, according to new analysis by a Google engineer.
LizaMoon is a massive SQL injection attack which is thought to have infected over 500,000 URLs with malicious scripts. The injected code redirects users to malicious addresses containing fake AV and rogue AV. The attack was uncovered by security company Websense, which blogged about the attack on 29 March, when only 28,000 sites had been compromised.
Measuring the impact
In an updated post on 31 March, Websense warned that a search on Google returned more than 1.5 million results that had a link with the same URL structure as the initial attack. “Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time,” it said.
However, according to analysis by Google Principal Engineer Niels Provos, a better way to measure the attack is to count the number of sites that have a functioning reference, rather than simply Googling the URL. In this way, Provos was able to leave out those URLs that had the code but didn’t actually redirect users.
He found that the Lizamoon campaign started around September 2010 and actually peaked in October 2010 with 5,600 infected sites – although it is now undergoing a revival. It is in fact substantially smaller than previous SQL injection attacks such as Gumblar.cn/ and Martuz.cn/ in 2009.
“For future studies of SQL injections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs,” he wrote in a blog post.
Other security experts are reporting that the attack succeeded in ensnaring very few victims, as many of the domains used by LizaMoon’s creators to peddle scareware were shut down very soon after they were created. According to Rik Ferguson, senior security advisor at Trend Micro, the company only had to block around 2,000 attempts to visit the domains.
“The sites that were compromised by the SQL injection attack were comparatively low profile sites and thus the attack did not gain significant momentum,” Ferguson told BBC News.
Despite this, SQL injections seem to be going through a phase of popularity with cyber criminals at the moment. Last week, for example, sites belonging to Oracle’s Sun and MySQL subsidiaries were infected, exposing database names and email addresses.