Check Point Reference: | CPAI-2011-212 |
Date Published: | 5 Apr 2011 |
Severity: | Critical |
Last Updated: | Saturday 01 January, 2011 |
Source: | IPS Research Center |
Protection Provided by: | |
Who is Vulnerable? | SQL Databases with Web-based front end |
Vulnerability Description | LizaMoon is a mass SQL code injection attack, where a Web application vulnerability is exploited to inject malicious code into affected websites. If a Web surfer visits an infested site, he will be redirected to an alternate website that tries to install a rogue anti-malware software. This malicious code performs a fake scan of the system and indicates that there is a large number of detected malware threats in it. By clicking "Remove All" to eradicate the non-existent threats, the user actually downloads the real malware instead. The Rogue AV software that is installed by LizaMoon is called Windows Stability Center. |
Vulnerability Details | IPS is able to block the two phases of the LizaMoon attack: Propagation - The LizaMoon propagation through Web servers can be blocked by activating the IPS SQL injection protection. IPS looks for SQL commands in forms and in URLs. If it finds them, the connection is rejected and a customizable web page can be displayed. Client infection - The injection plants a redirection to a URL which affects the client. The General HTTP Worm Catcher is able to block this attack through a simple configuration. |