The Latest in IT Security

Lizamoon Mass SQL-Injection: Tried and Tested Formula


Analysis: Kevin Savage

Following our recent blog post on malicious Web injects, here is an example affecting the distribution of a malicious Android application. This is an example of a traditional type but on a larger scale. Those of us in the security industry are well aware of a certain email address—[email protected]—which registers domains consistently used in mass SQL-injection attacks against vulnerable Web applications. This mass SQL-injection of a malicious iframe was dubbed Lizamoon (as a result of the domain name used during similar attacks back in 2011).

Although the domains have changed, the technique remains the same: exploit vulnerable sites on a large scale with an SQL-injection attack, which will then direct users to websites containing malicious code. The current wave of injection is considerable, if we base this on the search results Google has indexed:

The IP address has been identified in the attack and has four domains currently associated with it:


If you have visited a site with the injected iframe, the following events will take place:

Infected site
[hxxp]://[ENCODED DATA]
[hxxp]://[ENCODED DATA]

The i.html file serves up two exploits:

  1. CVE-2010-0188 – Trojan.Pidief

    If vulnerable, this exploit attempt to download and execute a file from a location which no longer resolves.

  2. CVE-2012-0507 – Trojan.Maljava

    If vulnerable, this exploit will successfully download and execute a Backdoor.Trojan from the following URL:


We are currently analyzing this file and will provide further updates once we’ve completed the analysis.


Symantec protects you against this attack with the following IPS signatures:

  • 23956 Fake App Attack: Fake AV Redirect 29
  • 24024 Fake App Attack: Misleading Application File Download 3
  • 24319 Fake App Attack: Fake AV Website 21
  • 25559 Fake App Attack: Fake Scan Webpage 4

The exploits used in this attack are known vulnerabilities and already patched. Please ensure you apply the latest patches and have your antivirus up to date.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments