Tuesday 10 January 2012

Li1up0phi1up0p

Just Don't Go There

I've numfuscated the name of this domain, just to try to ensure that you won't end up going there accidentally. But Li1up0phi1up0p reached a significant milestone last week. In an ecosystem of low to medium spread, low to medium profile SQL Injection attacks, many quite serious and mitigated only by these low numbers, this one has over the span of six or more weeks, achieved in excess of one million infected URLs. I've been watching it grow...

Mark Hofman of Shearwater reported on December 1 last year, several websites becoming infected with a SQL Injection script containing the string

"></title> < script src="hXXp://Li1up0phi1up0p.com/sl.php"> < /script>

(or, as I said, something quite like it :-). Checking Google, he found the number of infections at that time to be about 80, covering all versions of MSSQL. Next day, similar checks revealed about 200 infections in the morning, a thousand by lunchtime, and over four thousand that afternoon. One week and 160,000 infected websites into the event, it had become clear the attack was spreading rapidly via several and various automated sources. The most affected single region was .uk, followed by .de and then .com.

Mark's log at the SANS Internet Storm Center blog ISC Diary contains details of database "probing" occurring some time prior to the actual commencement of the attack, and some detailed information about its motive (it's attached to a fake AV scam), while at Kaspersky's ThreatPost, Dennis Fisher reveals something of its modus operandi as it works through various IIS, ASP and Microsoft SQL Server vulnerabilities.

A very similar attack with the moniker lizamoon also achieved a million infections earlier in 2011.

No comments:

Post a Comment