Alas, the news was published on April 1st. But it is not a joke.
Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” url is down, there are still a number of other URLs active on this one.
Without a lot of effort, I found infections using other URLs, which include
t6ryt56.info/ur.php
tadygus.com/ur.php
milapop.com/ur.ph
books-loader.info/ur.php
(These are all malicious, so obviously don’t go to them unless you know what you’re doing, etc.)
However, I doubt the infection is as massive as is being stated. For unique sites, perhaps a few thousand. More pages than that, but in terms of unique domains, not a million, as might have been inferred from articles.
What’s curious is I found something else that was interesting — encoded View State with malicious URLs injected into the site.
For example, here’s a screenshot of an example encoded View State that I found on one of the injected sites.
First, an infected page (with VIPRE yelling away that there’s a problem in the corner — sorry, can’t help the shameless self-promotion).
So let’s take a look at the page source:
Yuck! What’s all that? It’s encoded View State.
So we go to a handy-dandy decoder, paste the offending text, do a little “where’s Waldo” and there you have it:
How cool is that?
And yes, that is really painfully sloppy stuff.
Alex Eckelbery
(Obligatory hat tip to Jose)
Related Posts
- LizaMoon, Etc. SQL Injection Attack Still Ongoing
We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certa... - Newly detected SQL injection attack snags Apple in wide net
A new series of mass SQL injection attacks has planted links to malware sites and hidden iframes in over a million webpages, including parts of Apple's website. The technique is... - Request contained a malicious JavaScript or SQL injection attack
bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.I think this may be a bug in bad behaviorUpdate: I a... - IME Injection Evolution
Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discov... - Mass Injections Leading to g01pack Exploit Kit
Our ThreatSeekerR Network is constantly on the lookout to protect our customers from malicious attacks. Recently it has detected a new injection attack which leads to an obscure Web attack kit.&... - “The Hottest & Funniest Golf Course Video” scam has more than 200,000 likes on Facebook
Right now there's a scam making its way across Facebook linking to a video titled "The Hottest & Funniest Golf Course Video - LOL" (example screen shot below). Websense customers are... - One more Adobe 0-day vulnerability using Office files
Today Adobe announced a new 0-day vulnerability (CVE-2011-0611) in Adobe Flash Player and Adobe Acrobat that, similar to the previous 0-day from less than a month ago, was found embedded in a Microsof... - LizaMoon the Latest SQL-Injection Attack
Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the F... - Facebook HTTPS is a Bit More Done…
Our February 23rd post noted that Facebook's SSL "Secure Browsing" preferences had some issues remaining persistent.
There's been some encouraging progress since then, and this is now what happ... - alisa-carter.com, lizamoon.com and worid-of-books.com
The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these...
