LizaMoon Attack Shines Light on Importance of Web App Security
Monday, April 4th, 2011

Posted by: Oliver Wai, product marketing manager

The recent massive SQL injection attack dubbed LizaMoon clearly demonstrates the ongoing need to improve Web application security. Organizations have been diligent in protecting network infrastructure, email and laptops but have not put much thought into securing their Web servers. This is unfortunate as businesses are increasingly reliant on their Web presence, therefore the consequences of a Web site being compromised becomes much more serious. A site compromised by the LizaMoon attack sends visitors to a malware distribution site. This may cause the site owner to lose business or readership and, more importantly, it may damage the reputation of the business. Visitors and customers are much less likely to do business with companies that appear unable to protect their Web properties as it could mean that customers or visitors to the site could be compromised as well.

Most Web site owners rely solely on their network firewalls as the primary line of defense, however, most firewalls cannot inspect Web traffic for possible attacks. If their Web site is hosted, they rely on their hosting providers to provide the right protections, however hosting providers may not deploy Web application technologies to protect client Web sites. Furthermore, since Web servers sit in the DMZ and network firewalls must open ports 80 and 443 for Web traffic, it is not always a question of “if” but rather a question of “when” a Web site owner or hosting provider might suffer massive attack on its Web servers.

Putting It All Together…

The LizaMoon attack was not unique in its mechanism. However, it was new in its mashup of different techniques to create a new form of attack. We’ve seen many of the elements of the attack before:

SQL Injections are not new yet they are still effective because programmers often fail to follow proper coding guidelines to protect Web sites from these attacks. Barracuda Web Application Firewalls have been defending Web sites from SQL Injections for more than a decade.
Rogue AV is a common technique that is often discussed on the Barracuda Labs blog. The LizaMoon attack directed Web browsers to sites that display messages attempting to persuade Web surfers to purchase and download expensive “antivirus” programs that actually do nothing.
Botnets were likely also used in the distribution of the LizaMoon threat since most attacks of this scale act quickly and efficiently to inject malware into vulnerable Web servers worldwide. Botnets have been around for quite some time but have mostly been involved with spam and credit card thefts.

What is new about LizaMoon is the massively coordinated attack on Web servers worldwide to inject malware into the compromised servers. Moreover, the interconnectedness of content via RSS then spreads compromised content to places such as iTunes or other readers that users inherently trust, thereby increasing the probability that an unsuspecting user would believe in the Rogue AV scam. By compromising a number of Web servers all at once, the attackers have succeeded in casting a wider net that touches more applications than ever before.

A Vision of the Future?

Earlier this year, our Barracuda Labs team published its annual 2010 Annual Security Report, which indicated a substantial decline of overall spam traffic during the second half of 2010. Due to the widespread adoption of anti-spam security technology (such as the Barracuda Spam and Virus Firewall) and improved user awareness against such schemes, it is increasingly more economical for scammers to focus efforts on other attack vectors such as the Web, social networking and search engine results.

While the recent LizaMoon SQL Injections have been traced to a few specific types of database systems, it could have easily been modified to target other major platforms. All it takes are a few minor syntactical tweaks to repurpose LizaMoon to target other Web sites with different database systems. Most importantly, with any successful and highly publicized attack, it is a strong signal to other would-be hackers about the general weakness of Web applications and Web sites. Until Web application firewalls or other Web security technologies become common place, these types of attacks may become more common.