WebSense, which spotted the attack, asserts that Google search results show more than 1.5 million URLs have a link with the same URL structure as the initial attack and that more than 500,000 URLs have a script link to lizamoon.com.
LizaMoon is a large campaign meant to infect a large number of URLs at once, Darian Lewis, cyber security technical manager at Cyveillance, told TechNewsWorld.
Lizamoon.com is the first domain WebSense saw, on Tuesday, that had the script.
The so-called LizaMoon attack launches a traditional fake antivirus scam — you know, those scams that offer a free scan of your PC and then tell you it’s infected and urge you to pay some money and click on a link to download an antivirus (AV) software package.
The attack is still going on.
“My researchers are very heavily involved in digging more into this,” WebSense spokesperson Matthew Mors told TechNewsWorld.
Only about 40 percent of antivirus engines are able to detect the rogue AV software that’s downloaded in the attack, according to VirusTotal.
Computer users should take the usual safety precautions — patch their operating systems and security applications, be very careful when visiting websites, and avoid clicking on links in websites.
They should also avoid clicking on embedded links or opening attachments in their emails unless they can establish who sent them and that they know the sender.
LizaMooning the User
The rogue AV software the attack installs is called “Windows Stability Center,” WebSense says.
A free copy of the software is downloaded onto victims’ PCs. It then tells victims their PCs are infected and asks them to pay for the full version of the software in order to fix those problems.
This is a very traditional rogue AV scam, WebSense says.
Apparently five distinct URLs launching the attack have been discovered so far, Cyveillance’s Lewis said.
All of them point to “a small number of IP servers which are currently being watched very closely,” he added. They all appear to be in the Ukraine or Russia, Lewis stated.
Until the rogue AV package is fully analyzed, it won’t be known whether other sites are involved and in what capacity, Lewis disclosed.
Nothing New Under the AV Sun
This LizaMoon attack is several months old, Mary Landesman, senior security research at Cisco, told TechNewsWorld.
“A total of 47 malware domains have been observed during the seven months this attack has been going on,” Landesman said.
The LizaMoon domain was added to the malware list March 25, probably because a single high-profile website had been compromised, Landesman pointed out.
iTunes Escapes but Windows SQL Server Gets Dinged
So far, WebSense has received reports that Microsoft SQL Server 2003 and 2005 have been hit by the attack.
However, the flaw doesn’t lie in those platforms, WebSense said. It’s more likely that there are vulnerabilities in the Web systems used by the sites propagating the attacks, such as outdated content management systems and blog systems, WebSense surmises.
Several iTunes URLs may have been compromised, WebSense says. However, that hasn’t led to any computer infections because of the way iTunes works.
iTunes encodes the script tags, which means the scripts don’t execute on users’ computers, WebSense said.
Apple did not respond to requests for comment by press time.
Antivirus Vendors Caught Napping?
Only 17 out of 43 antivirus packages checked by the VirusTotal community detect the rogue AV package downloaded in the LizaMoon attack. That’s roughly 40 percent. Are antivirus vendors asleep on their feet? If so, why are consumers paying for protection?
Many antivirus engines are simply slow to respond to zero-day attacks, Cyveillance’s Lewis explained.
This could be due to several factors — the time needed for analysis, the generation of signatures and their distribution to clients, perhaps, Lewis suggested. Or it could be that AV vendors are bogged under a backlog of work.
“What is clear, though, is that, while AV is necessary, it is not sufficient protection against the newest attacks,” Lewis concluded.