LizaMoon
Encyclopedia
LizaMoon is a piece of malware
that infected thousands of websites beginning in September, 2010. It is an SQL injection
attack that spreads scareware
encouraging users to install needless and rogue "anti-virus software". Although it does not use new infection techniques, it was initially thought to be notable based on the scale and speed at which it spread, and that it affected some of Apple's iTunes
service. LizaMoon was initially reported to the general public by Websense Security Lab.
search data were thought to show hundreds of thousands of infected sites, the true number appears to only be in the thousands: according to Niels Provos
, a security researcher at Google, Google's safe browsing database indicates the LizaMoon attacks began around September 2010 and peaked in October 2010, with approximately 5600 infected sites. Cisco
researcher Mary Landesman has confirmed that the infection rate appears quite low.
How the web sites spreading the infection were attacked remains a mystery. However, hackers may inject vulnerable and popular websites with malicious code in order to spread the infection once users visit these sites. Users should never permit installs of software of unknown provenance from the Internet under any circumstances those that follow this policy cannot be infected by LizaMoon. These types of malware, known as rogue antivirus software, come under different names and logos such as "XP Security 2011", "Malware Scanner" or similar. After the initial installation, the software runs a fake scan showing non-existing malware on the system and in many cases requires the user to pay in order to remove the alleged malware.
Users should never pay for a security software from unknown source or untrusted brands. The malware writers initially entice users to download "free" security software so they can collect their financial information, such as credit cards and bank accounts.
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
that infected thousands of websites beginning in September, 2010. It is an SQL injection
SQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
attack that spreads scareware
Scareware
Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
encouraging users to install needless and rogue "anti-virus software". Although it does not use new infection techniques, it was initially thought to be notable based on the scale and speed at which it spread, and that it affected some of Apple's iTunes
ITunes
iTunes is a media player computer program, used for playing, downloading, and organizing digital music and video files on desktop computers. It can also manage contents on iPod, iPhone, iPod Touch and iPad....
service. LizaMoon was initially reported to the general public by Websense Security Lab.
Overview
Initial press statements reported the infection of hundreds of thousands or of millions of sites were infected. McAfee estimated approximately 1.5 million hosts affected between March and April 2011. However, subsequent research has shown a much lower infection rate. Although initial estimates for the infection based on GoogleGoogle
Google Inc. is an American multinational public corporation invested in Internet search, cloud computing, and advertising technologies. Google hosts and develops a number of Internet-based services and products, and generates profit primarily from advertising through its AdWords program...
search data were thought to show hundreds of thousands of infected sites, the true number appears to only be in the thousands: according to Niels Provos
Niels Provos
Niels Provos is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan....
, a security researcher at Google, Google's safe browsing database indicates the LizaMoon attacks began around September 2010 and peaked in October 2010, with approximately 5600 infected sites. Cisco
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
researcher Mary Landesman has confirmed that the infection rate appears quite low.
How the web sites spreading the infection were attacked remains a mystery. However, hackers may inject vulnerable and popular websites with malicious code in order to spread the infection once users visit these sites. Users should never permit installs of software of unknown provenance from the Internet under any circumstances those that follow this policy cannot be infected by LizaMoon. These types of malware, known as rogue antivirus software, come under different names and logos such as "XP Security 2011", "Malware Scanner" or similar. After the initial installation, the software runs a fake scan showing non-existing malware on the system and in many cases requires the user to pay in order to remove the alleged malware.
Effects
As with all malware, LizaMoon is easier for a user to deal with by avoiding it rather than by attempting to repair the damage it causes after the fact. Fortunately, LizaMoon is easy for most users to avoid. The software requires the user to actively participate in downloading and installing itself. Indeed, to become infected, a user must give permission to the software four times. LizaMoon asks the user to install a piece of rogue antivirus software to remove various non-existent "viruses" from the PC. The rogue AV software that is installed is called Windows Stability Center. Unfortunately, as of April 1, the file that is downloaded is currently detected by only 13 of 43 anti-virus engines according to VirusTotal.Users should never pay for a security software from unknown source or untrusted brands. The malware writers initially entice users to download "free" security software so they can collect their financial information, such as credit cards and bank accounts.