James Delahunty
2 Apr 2011 2:20
Hundreds of thousands of websites have been hit by a code-injection attack that targets a problem with an unknown (so far) web application.
Websense has dubbed the widespread attack as "LizaMoon" after the website its researchers were initially directed to by the malicious code. The attack seems to have largely affected small website so far, with no reports of major corporate or government websites showing signs of being compromised.
Users visiting any hacked site are redirected to a prompt showing a bogus security warning, and may end up downloading "Windows Stability Center", a scareware application that provides fake scans and results on an infected system and gives the user a chance to buy a license to remove the fake threats.
Websense was contacted by people who found the code in their Microsoft SQL databases, using SQL Server 2000, 2005 and 2008. This does not mean there is a vulnerability in Microsoft SQL Server, Websense Security Labs stressed, but instead points the finger at a web application that is still, right now, unknown.
Mass code-injection attacks are not uncommon, but researchers are already calling this the largest of its kind. It is not likely to go away quickly either, as compromised sites will have to remove the malicious code and then update the vulnerable web application, whenever there is even a fix for it.
WebSense Security Labs posted the following video, which shows what happens to a system that is used to access a hacked URL.