'Lizamoon' continues to plague sites

Recent massive wave of Web site attacks using SQL injection not new, and Trojans still form an effective component of cybercriminals' malware weaponry, says security vendor.
Written by Tyler Thia, Contributor

Trojans are still an effective weapon in the malware armory of cybercriminals, with the latest SQL injection attacks affecting hundreds of thousands of URLs--dubbed Lizamoon--also attempting to trick users into downloading Trojans in the form of fake antivirus programs.

The attacks, which were detected last week, made use of five URLs injected via a PHP script into the compromised sites, according to Trend Micro. In a blog post last week, the security vendor highlighted that the five URLs all resolve to a single, malicious IP server that has been on its radar, and added the URLs have been "proactively blocked" since Mar. 25.

The modus operandi of these attacks is to redirect visitors to the compromised sites numerous times, finally leading to the download of a fake antivirus scan. Trend Micro, which classified the fake programs as TROJ_FAKEAV.BBK and TROJ_WORID.A, said "Lizamoon" was the name of the first domain to which victims were re-directed.

"Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular Web site with high incoming traffic is among those compromised," J.M. Hipolito, who is part of Trend Micro's technical communications team, said in the blog post. Some of the affected sites were related to astronomy, clubs, hospitals, sports and electronics.

However, compromised Web sites previously inserted with a script leading to one of the blocked URLs, have been modified to connect to another, Hipolito added.

"It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked," he noted.

The number of compromised sites has snowballed from an initial 28, 000 reported by Websense. At the time of writing, a search on Google found over 2 million results with the same URL structure as in the initial attack.

While the motive of the Lizamoon attack remains unknown, cybercriminals who launch Trojan attacks still do it for financial gains, said Myla Pilao, director of core technology marketing at Trend Micro, who reiterated that they "go where the money is".

"Attacks which are common and proliferating are mostly attacks that take away money or information, under false pretenses," she explained in an e-mail interview. "Whether it is e-mail-, file- or Web-based they are mostly centered on money-stealing tactics."

Pilao added that while the Downadup or Conficker worm consistently comes up tops on malware charts, it is crucial to "remember that today's malware are targeted and intentional, like the info-stealing Trojans belonging to Zeus botnets".

Trend Micro said last week it "neutered" the Zeus botnet using the sinkholing method to gain control of the C&C server and "render it ineffective". That effort involved working with domain registrar CDmon, which the cybercriminals used to buy the botnet's domain name.

Sinkholing can be done to any malicious, phishing or spam site, not just the Command and Control (C&C) server which Trend Micro took control of, Pilao noted.

"The idea is to gain insight on the users affected by the attack because the HTTP traffic going to the sinkholed site is now visible to the researcher," she added.

"In a way, it is like taking down a malicious site, such that the Web site is not anymore serving malicious content."

As cyber attacks continue to gain strength, the security vendor warned midsize companies to increase vigilance as they will be targets in cyber-espionages this year. "The growth of targeted and localized attacks will continue against big name brands and critical infrastructure," Pilao stressed.

There is also an increasing use of stolen or legitimate digital certificates in malware attacks to avoid detection, as well as the huge growth in use of complex domain generation algorithms in advanced persistent threats and increase in Java-based attacks.

Alternative operating systems, programs and Web browsers may see a surge in exploits, while applications such as Adobe Flash will experience "tremendous growth" in attack incidents as a result of inherent vulnerabilities, Trend Micro cautioned.

Editorial standards