Security Experts:

Shining a Spotlight on LizaMoon

Virtual Patching Takes the Pain out of Defending against SQL injection Attacks Like LizaMoon

A recently identified SQL injection attack called LizaMoon affected thousands of databases over the course of the past several months. iTunes and other prominent sites were hit. LizaMoon didn’t do anything terrible. Nonetheless, it scared the $%*@ out of IT security people everywhere. Why? Because to this day LizaMoon still isn’t detected by most anti-virus engines, and because it spread undeterred for so long. LizaMoon uses a mass SQL injection attack technique that inserts Javascript and IFrames into the pages of legitimate websites, redirecting unsuspecting PC users to a website promoting fake antivirus software. If you’re adventurous (or foolish) enough to go along for the ride, LizaMoon runs a bogus security-scan and virus-cleanup tools on your PC—all fake. You are then provided with the “opportunity” to clean up your seemingly hopelessly infected PC by—surprise!—providing your credit card number so you can buy a phony AV solution.

LizaMoon SQL Injection AttackLizaMoon isn’t particularly malicious or successful because of its bush league antics. The AV scan is too fast and clearly fake, and there are mis-spellings and lame graphics throughout the redirect process. Besides, it gives users at least four different opportunities to bail out before getting their PCs infected and getting hit up for money.

But LizaMoon has embarrassed a lot of reputable companies whose web servers spread the malware. What’s more, it makes you wonder: What happens when a more professional and targeted SQL injection comes down the wire? It’s a good question because there are criminal syndicates the world over who are learning from the likes of LizaMoon. Future SQL injection attacks won’t be as amateurish in their design or execution.

The good news is that even sophisticated SQL injection attacks can be thwarted by patching and deploying the right database security solution. However, the problem is that applying DBMS security patches can be painful—requiring extensive testing and downtime, and often resulting in business disruption.

In some cases, patching is darn near impossible because, in many enterprise environments today, databases are synonymous with the business itself. And the business has to be open on a 24 x 7 x 365-day basis. Equally daunting, most IT shops are running customized applications for which patches aren’t readily available. And, of course, there are many DBMS versions that are still providing value day in and day out but, like Oracle8i, they are no longer supported by the vendor.

Even in the best-case scenario, in which in-house developers and database or application vendors respond promptly with patches, it may be days or weeks before there is a block of time sufficient for applying patches without unduly disrupting business operations.

So, what’s a responsible IT security manager to do? Virtual patching. It’s an essential first line of defense against SQL injection attacks. And it protects against known and zero-day vulnerabilities until you can patch.

Virtual patching utilizes a real-time database monitoring component that continuously scans for unauthorized changes in databases and applications. Monitoring is based on generic virtual patching rules. So, for example, a rule that detects attempts to inject code into SQL Server would catch LizaMoon’s SQL query, even though it has been obfuscated.

It’s important to note that not all database monitoring solutions provide protection for general attacks. Also, solutions that rely on monitoring SQL traffic will typically miss encrypted, encoded or otherwise obfuscated attacks.

If LizaMoon has taught us anything, it’s that you have to look at security from all angles and protect your databases accordingly. Whether cybercriminals are dumb or brilliant, you have to defend against all of them. And that requires deploying smart, comprehensive solutions.

Subscribe to the SecurityWeek Email Briefing
view counter
Eric Schou is a Group Product Marketing Manager at McAfee. He is currently a part of the Security Management Group. Before joining McAfee, Schou spent more than 15 years in the security and storage industry.
view counter