HUGE LizaMoon SQL injection: Windows Stability Center Trojan (no fooling)

Windows Stability Center scareware
By Richi Jennings. April 1, 2011.

Updated: Literally millions of URLs have been infected with a rampant SQL injection attack. The LizaMoon Windows Stability Center fake anti-virus has even infected the iTunes Music Store... kinda-sorta. In IT Blogwatch, bloggers make like Chicken Licken.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention Angry Nerds: Best April Fools I've seen so far...

Websense's Patrik Runald claims to have spotted it first:

The LizaMoon mass-injection is a SQL injection attack that inserts the following line into the code of the page:

<script src=hxxp://></script> ... This includes several iTunes URLs. ... The good thing is that iTunes encodes the script tags, which means that the script doesn't execute. ... Good job, Apple.


The script contained simple JavaScript code that redirected the user to a ... Rogue AV site. ... The number of the compromised URLs is still increasing .. more domains started to be involved except for ... A Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack.


The Rogue AV software that is installed is called Windows Stability Center. ... [It] displays a warning that there are lots of problems on your PC. ... Very traditional rogue AV scam.

John Leyden is shocked. Shocked, I tell you:

The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code into compromised pages ...  as part of an ambitious attack ... designed to redirect surfers to a site pimping rogue anti-virus packages.


[It] counts as among the most widespread mass-injection attacks on record.

Peter Bright explains:

SQL injection attacks ... exploit badly-written Web applications to directly perform actions against databases. ... The underlying cause is a programmer trusting [user] input ... and passing this input directly into the database. ... The database will run code of the attacker's choosing.


SQL injections following this pattern appear to have been happening ... for six or more months. ... The file name—ur.php—and the style of injection remain consistent. ... Previous efforts were on a much smaller scale, however. ... The attacks originated from IP addresses in eastern Europe and Russia.

It's nice to see Dancho Danchev back blogging:

What's particularly interesting about this campaign, is ... that the used domains are all responding to the same IPs. ... (AS3721); (AS51786); (AS50244).


The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

But Chris Nerney grumbles about the date:

This really had better not be an April Fool's prank or I'm not going to be happy. ... It's the stupidest day of the year, so we should all be on guard.


The bottom line for users ... is that if they visit one of the sites injected ... they get a scary warning about huge problems on their PC. Fortunately, all that goes away if the ... user pays for a full version of Windows Stability Center! So you've been warned.

Meanwhile, the enigmatic rfirth also waxes topical:

Unfortunately, this isn't an April Fools day joke. It's real.

And Finally...

Angry Nerds: Best April Fools I've seen so far

(add your favorites in the comments below)

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.

Shop Tech Products at Amazon