SQL Injection: hundreds of thousands of sites affected?
April 04th, 2011 - 12:31 pm ET by J. G.
Through an automatic SQL injection attack, malicious links in hundreds of thousands of sites lead to a fake antivirus according to Websense.
Websense raised the alert, nicknaming this attack LizaMoon - the first domain name detected as redirecting internet user to a page which states that they are infected by malware. The message was passed that the user was infected, with a fake antivirus solution offered to clean the computer.
The LizaMoon attack was first seen on the 25th of March. On the 31st of March, Websense counted more than 500 000 pages containing a malicious script following an SQL injection. The number of sites infected has now become difficult to count, with Websense estimating that more than 1.5 million sites are infected based on information provided by the Google and Bing engines.
The code has been detected in Microsoft SQL databases, but this doesn’t mean that a vulnerability exists in SQL Server: "the web application isn't filtering input from the user correctly ".
Lead engineer at Google, Niels Provos is also rather critical of Websense's counting method; instead taking more interest in the number of infected URL’s rather than infected sites, notably by performing a URL search on Google. The LizaMoon attack is not a new phenomenon in itself. Its origins date to September 2010 with a peak of 5600 infected sites in October. According to him, attacks by SQL injection have previously claimed a number of victims.
For other computer security people, the attack has very few internet victims, as most of the domains used were very quickly closed after their creation.