Mass injection attack hits a million websites

Posted by Emma Woollacott

More than a million URLs have been compromised by a cyberattack that's suddenly ramped up in the last 24 hours to become one of the biggest mass-injection attacks ever seen.

The Trojan, dubbed Lizamoon, redirects Web surfers to a fake antivirus website via malicious JavaScript code injected into web pages.

Discovered two days ago, it's escalated rapidly. Around half the victims appear to be located in the US.

A number of iTunes pages appear to be affected, although the way these pages are set up prevents the code from automatically executing on users' computers.

Now, security firm Websense says its detected a number of other injected URLs on top of the original Lizamoon, meaning the attack is even bigger than first thought - there's a full list, here.

"The Rogue AV software that is installed is called Windows Stability Center, and the file that is downloaded is currently detected by 13/43 anti-virus engines, according to VirusTotal," says Websense.

"The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam."

The affected sites appear to be using Microsoft Server 2003 and 2005; probably not because of a vulnerability in SQL Server itself, says Websense, but because of weaknesses in the content management systems the sites are using.