The Lizamoon Website Infection

It was reported by Websense here about a new infection that’s hit thousands of websites.

This infection is referred to as LizaMoon because that is the first, and most popular domain seen in this infection. I think, instead of lizamoon, it could be referred to as the “ur.php” infection, but that’s just my opinion.

You can tell if your website has this if any of your pages, when viewed through a browser, have code inserted that looks like:

lizamoon sql injection

Some common traits that are interesting to note are:

1. The script tags have the < and > code instead of the “<" and ">”
2. The inserted code appears in the title tag
3. The inserted code appears in many drop-down listings
4. The infection appears to be only in .asp, .aspx and .cfm web pages

Many of these traits do lead to an apparent SQL injection due to where they’re located in the rendered webpage. Websense commented on their blog that this might be tracked to a vulnerability in Microsoft’s SQL 2003 and 2005. We don’t doubt their findings, but we could not confirm that ourselves, however, seeing that the infected sites are based on either ASP(X) or Cold Fusion, it does lead us to believe this.

Other domains used in this infection:
alexblane.com
alisa-carter.com
milapop.com
eva-marine.info
tadygus.com
google-stats49.info
google-stats45.info
google-stats50.info
stats-master99.info
world-of-books.com
tzy-stats.info
agasi-story.info

…and many others and the list will definitely be changing as this moves forward.

Many of the sites used as redirections in this infection are the fake anti-virus based websites where they (the hackers) try to trick the visitor into believing their PC is infected.

At the time we investigated this, we found that the fake anti-virus software these sites attempt to install on a visitor’s PC is known as “Windows Stability Center”. Currently this is only detected by 13 out of 43 different anti-virus programs – so it’s effectiveness could be quite high.

To check your website, you could either perform SQL queries or export your database and do text search for the string: “ur.php” as that file seems associated with all the domains used in this infection.

Whether you want to call this the Lizamoon infection or use my suggestion of the “ur.php” infection, it’s infecting thousands of websites. As of this writing a Google search on the above script string shows 531,000 results.

Please comment on what you think about this. Have you been infected by this? Anyone have further insight?