Connect with us

Hi, what are you looking for?



Shining a Spotlight on LizaMoon

Virtual Patching Takes the Pain out of Defending against SQL injection Attacks Like LizaMoon

Virtual Patching Takes the Pain out of Defending against SQL injection Attacks Like LizaMoon

A recently identified SQL injection attack called LizaMoon affected thousands of databases over the course of the past several months. iTunes and other prominent sites were hit. LizaMoon didn’t do anything terrible. Nonetheless, it scared the $%*@ out of IT security people everywhere. Why? Because to this day LizaMoon still isn’t detected by most anti-virus engines, and because it spread undeterred for so long. LizaMoon uses a mass SQL injection attack technique that inserts Javascript and IFrames into the pages of legitimate websites, redirecting unsuspecting PC users to a website promoting fake antivirus software. If you’re adventurous (or foolish) enough to go along for the ride, LizaMoon runs a bogus security-scan and virus-cleanup tools on your PC—all fake. You are then provided with the “opportunity” to clean up your seemingly hopelessly infected PC by—surprise!—providing your credit card number so you can buy a phony AV solution.

LizaMoon SQL Injection AttackLizaMoon isn’t particularly malicious or successful because of its bush league antics. The AV scan is too fast and clearly fake, and there are mis-spellings and lame graphics throughout the redirect process. Besides, it gives users at least four different opportunities to bail out before getting their PCs infected and getting hit up for money.

But LizaMoon has embarrassed a lot of reputable companies whose web servers spread the malware. What’s more, it makes you wonder: What happens when a more professional and targeted SQL injection comes down the wire? It’s a good question because there are criminal syndicates the world over who are learning from the likes of LizaMoon. Future SQL injection attacks won’t be as amateurish in their design or execution.

The good news is that even sophisticated SQL injection attacks can be thwarted by patching and deploying the right database security solution. However, the problem is that applying DBMS security patches can be painful—requiring extensive testing and downtime, and often resulting in business disruption.

In some cases, patching is darn near impossible because, in many enterprise environments today, databases are synonymous with the business itself. And the business has to be open on a 24 x 7 x 365-day basis. Equally daunting, most IT shops are running customized applications for which patches aren’t readily available. And, of course, there are many DBMS versions that are still providing value day in and day out but, like Oracle8i, they are no longer supported by the vendor.

Even in the best-case scenario, in which in-house developers and database or application vendors respond promptly with patches, it may be days or weeks before there is a block of time sufficient for applying patches without unduly disrupting business operations.

So, what’s a responsible IT security manager to do? Virtual patching. It’s an essential first line of defense against SQL injection attacks. And it protects against known and zero-day vulnerabilities until you can patch.

Advertisement. Scroll to continue reading.

Virtual patching utilizes a real-time database monitoring component that continuously scans for unauthorized changes in databases and applications. Monitoring is based on generic virtual patching rules. So, for example, a rule that detects attempts to inject code into SQL Server would catch LizaMoon’s SQL query, even though it has been obfuscated.

It’s important to note that not all database monitoring solutions provide protection for general attacks. Also, solutions that rely on monitoring SQL traffic will typically miss encrypted, encoded or otherwise obfuscated attacks.

If LizaMoon has taught us anything, it’s that you have to look at security from all angles and protect your databases accordingly. Whether cybercriminals are dumb or brilliant, you have to defend against all of them. And that requires deploying smart, comprehensive solutions.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.