Check Point Advisories

Preemptive Protection against LizaMoon - Mass SQL Injection Attacks

Check Point Reference: CPAI-2011-212
Date Published: 5 Apr 2011
Severity: Critical
Last Updated: Saturday 01 January, 2011
Source: IPS Research Center
Protection Provided by:
Who is Vulnerable? SQL Databases with Web-based front end
Vulnerability Description LizaMoon is a mass SQL code injection attack, where a Web application vulnerability is exploited to inject malicious code into affected websites. If a Web surfer visits an infested site, he will be redirected to an alternate website that tries to install a rogue anti-malware software. This malicious code performs a fake scan of the system and indicates that there is a large number of detected malware threats in it. By clicking "Remove All" to eradicate the non-existent threats, the user actually downloads the real malware instead. The Rogue AV software that is installed by LizaMoon is called Windows Stability Center.
Vulnerability DetailsIPS is able to block the two phases of the LizaMoon attack:

Propagation - The LizaMoon propagation through Web servers can be blocked by activating the IPS SQL injection protection. IPS looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected and a customizable web page can be displayed.

Client infection - The injection plants a redirection to a URL which affects the client. The General HTTP Worm Catcher is able to block this attack through a simple configuration.

Protection Overview

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK