Websites Hit By Massive SQL Injection Attack

Over 380,000 URLs have been infected with malicious scripts in a massive SQL injection attack.

The injected code has been monitored over the past week as anti-malware companies worked out what was happening. The injected code redirects users to malicious addresses such as FakeAV and RougeAV.

Evolving And Spreading

The attack was first blogged about by Websense when only 28,000 sites were compromised but it soon started to spread across more URLs and domains. It was given the name LizaMoon by Websense because the original injected code called JavaScript routines stored at lizamoon.com, a URL registered a few days ago.Apart from a score of anti-malware trackers watching LizaMoon’s progress, it appears that the attackers are also monitoring the situation. Fresh code pointers are updated on infected Web sites to point to new JavaScript-hosting sites as the older hosting URL addresses are blocked.

Extremely large as this attack may be, John Kuhn, a senior global Internet threat analyst at IBM Internet Security Systems, still reckons it is not yet the biggest injection attack in recent years.

“We are not seeing near the volume compared to the ‘asprox’ and ‘dnf666’ attacks,” he blogged. “The reason for this is simple, the attacks seem to source from a few choice IPs which correspond back to the site being injected into the victim’s database. The Asprox SQL Injection attack, for instance, utilised a botnet to do the mass injection, giving them far more reach and bandwidth.”

Several iTunes sites have been infected but the way iTunes works, by encoding script tags, means that users were never at risk as the code could not execute on their machines.

SQL injection seems to be enjoying a phase of popularity at the moment and earlier this week sites belonging to Oracle’s Sun and MySQL subsidiaries were infected.