Preemptive Protection against LizaMoon - Mass SQL Injection Attacks
| Check Point Reference: | CPAI-2011-212 | |
| Date Published: | ||
| Preemptive Since: | ||
| Severity: | ||
| Source: | IPS Research Center | |
| Protection Provided by: |
Security Gateway
|
|
|
Who is Vulnerable? SQL Databases with Web-based front end |
||
| Vulnerability Description LizaMoon is a mass SQL code injection attack, where a Web application vulnerability is exploited to inject malicious code into affected websites. If a Web surfer visits an infested site, he will be redirected to an alternate website that tries to install a rogue anti-malware software. This malicious code performs a fake scan of the system and indicates that there is a large number of detected malware threats in it. By clicking "Remove All" to eradicate the non-existent threats, the user actually downloads the real malware instead. The Rogue AV software that is installed by LizaMoon is called Windows Stability Center. |
||
|
Vulnerability Details IPS is able to block the two phases of the LizaMoon attack: Propagation - The LizaMoon propagation through Web servers can be blocked by activating the IPS SQL injection protection. IPS looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected and a customizable web page can be displayed. Client infection - The injection plants a redirection to a URL which affects the client. The General HTTP Worm Catcher is able to block this attack through a simple configuration. |
Protection Overview
The protections will detect and block the propagation and client infection of the LizaMoon attack. Check Point users have been protected against this type of attack since July 2004: CPSA-2004-02. No update is required to address this issue.
To configure the defense, select your product from the list below and follow the related protection steps.