Check Point Provides Preemptive Protection Against "LizaMoon" SQL Injection Attacks
Summary
An SQL code injection attack known as LizaMoon has infected over a million websites as of the end of March 2011. It attempts to convince a user to install malware that is disguised as a virus remover.
Details
The LizaMoon SQL injection attack exploits an SQL-based web application's vulnerability in order to inject malicious code into targeted websites. If an infected site is visited, the user will be redirected to an alternate website that simulates a scan of the system and then indicates that it has detected a large number of malware infections. By clicking "Remove All" that's supposedly going to eradicate the non-existent threats, the user allows the download of malware disguised as a virus remover. Ironically, the rogue software that is installed by LizaMoon is called "Windows Stability Center".
Affected Products
Any SQL database installation with a web-based front end is susceptible to this vulnerability.
Solution
Check Point IPS Software Blade has provided preemptive network protection against this vulnerability since 2004 by detecting and blocking the propagation of the LizaMoon attack and preventing client infection. For more information, see CPAI-2011-212.
Originally Published:
Last Updated: 12-Apr-2011