The world was rocked today by LizaMoon–a SQL injection attack which has compromised well over one million Websites. No need to panic, though. A little information and common sense are all you need to make sure that LizaMoon is nothing more than a minor annoyance.
LizaMoon is a SQL injection attack that inserts malicious code on otherwise legitimate sites. However, don’t let the fact that it is called SQL injection cause you to jump to the conclusion that there is a flaw in Microsoft SQL Server.
An FAQ from Websense–the security firm credited with the initial discovery of LizaMoon–explains, “Everything points to that this is a vulnerability in a web application. We don’t know which one(s) yet but SQL Injection attacks work by issuing SQL commands in un-sanitized input to the server. That doesn’t mean it’s a vulnerability in the SQL Server itself, it means that the Web application isn’t filtering input from the user correctly.”
Dave Marcus, Director of Security Research and Communications for McAfee Labs, commented, “This type of threat vector is common and actually happens all the time. However, it’s not always on this scale. There are many tools that exist currently that do this in an automated fashion.”
How Did It Happen?
As the Websense FAQ states, SQL injection is an attack that inserts malicious code into the database server by passing it through a vulnerable Web application. The Web application should have filters in place to filter and sanitize data to prevent rogue commands from passing through, but–as LizaMoon makes glaringly apparent–not all do.
There is little that Web admins can do to prevent SQL injection attacks. Amol Sarwate, Vulnerabilities Lab Manager at Qualys, told me, “Mitigating SQL injection at the Web admin level is tricky. If Web application firewalls (WAF) are used correctly, they can avoid bad code from being injected in the database. Administrators can use a Web application scanner (WAS) to determine if their Website is prone to such attacks. But, to fix the root cause the underlying source code needs to be modified.”
Essentially, there are tools that Web admins could use to scan for weaknesses in Web applications, or to provide an extra layer of protection to do the filtering and sanitizing of SQL commands before they get to the Web application, but the real solution is for the Web application to be secure and to prevent rogue SQL commands without requiring additional third-party tools.
Will LizaMoon Impact Me?
No. It shouldn’t. The malicious code injected by LizaMoon redirects visitors from the compromised intended destination to an alternate site pushing rogue antimalware protection. You will see a pop-up warning that your PC is infected. Click OK, and the malicious code performs a fake scan of your system indicating a number of detected malware threats. If you click “Remove All” to eradicate the non-existent threats, you will instead download the real malware–the rogue AV software.
There is no reason that any user should ever fall for a rogue AV scam. You should know whether or not you have AV software installed. If you do, you should be familiar enough with it to recognize what the alert messages and system scan look like. More importantly, when the malware gets to the point where it requires payment to download the full version of the rogue AV alarm bells should be going off in your head.
If you don’t have any AV software installed, then all you have to do is stop at step one and ask yourself, “if I don’t have any AV software installed, how did I just get a warning message indicating my PC might be compromised, and how is my PC running a malware scan?” If that question doesn’t occur to you, or you rationalize your way past step one, when you get to step 2 and the malware requests payment to download the rogue AV solution to “fix” your PC, you should ask yourself, “if my PC has software that was able to detect the threat, then scan for and identify the malware on my system, why do I now have to pay to download something else to fix it?”
Qualys’ Sarwate sums up this simple common sense thusly: “Users should make themselves aware of the AV running on their system and educate themselves so that they do not fall in trap of rogue AV or other fake applications.”