The Latest in IT Security

Lizamoon Mass SQL-Injection: Tried and Tested Formula

08
May
2012

Analysis: Kevin Savage

Following our recent blog post on malicious Web injects, here is an example affecting the distribution of a malicious Android application. This is an example of a traditional type but on a larger scale. Those of us in the security industry are well aware of a certain email address—[email protected]—which registers domains consistently used in mass SQL-injection attacks against vulnerable Web applications. This mass SQL-injection of a malicious iframe was dubbed Lizamoon (as a result of the domain name used during similar attacks back in 2011).

Although the domains have changed, the technique remains the same: exploit vulnerable sites on a large scale with an SQL-injection attack, which will then direct users to websites containing malicious code. The current wave of injection is considerable, if we base this on the search results Google has indexed:

The IP address 31.210.100.242 has been identified in the attack and has four domains currently associated with it:

  • hgbyju.com
  • hnjhkm.com
  • nikjju.com
  • njukol.com

If you have visited a site with the injected iframe, the following events will take place:

Infected site
[REDIRECTS] →
[hxxp]://njukol.com/r.php
[REDIRECTS] →
[hxxp]://www3.safe-defensefu.com/?f1hlu4a=[ENCODED DATA]
[REDIRECTS] →
[hxxp]://www1.powermb-security.it.cx/ntzjc62?vjgtl=[ENCODED DATA]
[REDIRECTS] →
[hxxp]://www1.powermb-security.it.cx/i.html

The i.html file serves up two exploits:

  1. CVE-2010-0188 – Trojan.Pidief

    If vulnerable, this exploit attempt to download and execute a file from a location which no longer resolves.
     

  2. CVE-2012-0507 – Trojan.Maljava

    If vulnerable, this exploit will successfully download and execute a Backdoor.Trojan from the following URL:

    [hxxp]://www2.smartqz-army.dnset.com

We are currently analyzing this file and will provide further updates once we’ve completed the analysis.
 

Protection

Symantec protects you against this attack with the following IPS signatures:

  • 23956 Fake App Attack: Fake AV Redirect 29
  • 24024 Fake App Attack: Misleading Application File Download 3
  • 24319 Fake App Attack: Fake AV Website 21
  • 25559 Fake App Attack: Fake Scan Webpage 4

The exploits used in this attack are known vulnerabilities and already patched. Please ensure you apply the latest patches and have your antivirus up to date.

Leave a reply


Categories

MONDAY, MAY 25, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments