Lizamoon – Much Ado About Very Little?
Recent media reports have focused on a mass SQL injection attack involving a malware domain named lizamoon.com. While the lizamoon.com domain is new, this particular series of SQL injection compromises is actually several months old. Cisco ScanSafe logs record the first instance on 20-sep-10 21:58:08 GMT. Since then, various malware domains have been used for a total of 42 domains signifying 42 separate occurrences of these compromises since September 2010. Lizamoon.com was the 41st of these.
Cisco ScanSafe data reveals that from Sept 2010 to Feb 2011, all the compromises were on smaller, low traffic sites. Any encounters likely resulted from Web searches for very niche topic areas. As a result, the number of encounters with these compromised websites remained very low. Most importantly, this attacker is employing severe throttling such that only 0.15% of encounters even result in live content delivery. The remaining 99.85% of encounters are non-resolvable at the time of encounter. The result is a negligible rate of actual encounter with live content.
On March 25th, attackers deployed a new round of automated injections referencing lizamoon.com. At that time, a security firm conducted a Web search that led to the mistaken conclusion that a massive SQL injection was underway, which in turn led to considerable media focus. In turn, loosely defined search queries and misinterpretation of search results by interested parties led to unfounded claims that hundreds of thousands – and in one instance, 1.5 million – websites were compromised.
In fact, the number of sites compromised is considerably lower than claimed. Throughout the entire seven month run of these SQL injection attacks, Cisco ScanSafe has observed only 1154 unique compromised websites (Sep 20, 2010 – Mar 31, 2011).
Combined with the 0.15% live encounter rate, the risk from these SQL injection attacks remains negligible.
Regarding estimates of anywhere from 28,000, to 388,000 to 1.5M alleged compromises, here are a few further clarifications:
- These estimates are based on Google searches. These searches are returning URLs – i.e. Web pages, not websites.
- Many of the search queries have been very loosely defined, resulting in tens and hundreds of thousands of false positives in the count.
- The search queries also return pages with people just talking about the SQL injection attacks – bloggers, forum posts, news articles, etc. These pages increase substantially as word spreads and thus it can lead to the false impression that numbers are rising dramatically.
- Many of the search results contain properly escaped SQLi attempts, which are harmless, i.e. the script on those pages cannot run.
In the 0.15% of instances where the encounter does result in live content, the user is redirected to a second malware domain which attempts to install scareware. Cisco ScanSafe detects and blocks these attempts and has done so since the onset of the attacks seven months ago.
Custom IPS Signature For Lizamoon-related SQL Injection
Although the risk is extremely low, due to intense media interest, Cisco will provide IPS signature 35285-0 in signature update S557. This signature will detect hosts infected by Lizamoon SQL Injection attack. If the sensor or CSM is configured to automatically download updates, the latest signature protection will be applied according to the update schedule configured. In the interim, customers can apply the following custom signature, which is equivalent to signature 35285-0. The engine parameters with green check marks are the parameters which should be modified. The image does not show the entire regular expression. The regular expression is “[\x3c]script\x20src[\x3d]http[\x3a][\x2f\x5c][\x2f\x5c][^\x20]*[\x2f][Uu][Rr][\x2e][Pp][Hh][Pp][\x3e][\x3c][\x2f]script[\x3e]”. Note that the web browser may wrap the regex; it should not have any white space in it.
IPS customers are notified about new signatures via the Threat Defense Bulletin (TDB), which is sent out whenever a signature update is released, and can be viewed in the TDB archive on the Cisco Security Intelligence Operations portal.
For a broader explanation of SQL injection attacks in general, please see Understanding SQL Injection.