From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

LizaMoon is a piece of malware that infected thousands of websites beginning in September, 2010. It is an SQL injection attack that spreads scareware encouraging users to install needless and rogue "anti-virus software".[1] Although it does not use new infection techniques, it was initially thought to be notable based on the scale and speed at which it spread, and that it affected some of Apple's iTunes service. LizaMoon was initially reported to the general public by Websense Security Lab.[2]


Initial press statements[which?] reported the infection of hundreds of thousands or of millions of sites were infected. McAfee estimated approximately 1.5 million hosts affected between March and April 2011. However, subsequent research has shown a much lower infection rate. Although initial estimates for the infection based on Google search data were thought[by whom?] to show hundreds of thousands of infected sites, the true number appears to only be in the thousands: according to Niels Provos, a security researcher at Google, Google's safe browsing database indicates the LizaMoon attacks began around September 2010 and peaked in October 2010, with approximately 5600 infected sites.[3] Cisco researcher Mary Landesman has confirmed that the infection rate appears quite low.[4]

How the web sites spreading the infection were attacked remains a mystery. However, hackers may inject vulnerable and popular websites with malicious code in order to spread the infection once users visit these sites. Users should never permit installs of software of unknown provenance from the Internet under any circumstances – those that follow this policy cannot be infected by LizaMoon. These types of malware, known as rogue antivirus software, come under different names and logos such as "XP Security 2011", "Malware Scanner" or similar. After the initial installation, the software runs a fake scan showing non-existing malware on the system and in many cases requires the user to pay in order to remove the alleged malware.


As with all malware, LizaMoon is easier for a user to deal with by avoiding it rather than by attempting to repair the damage it causes after the fact. Fortunately, LizaMoon is easy for most users to avoid. The software requires the user to actively participate in downloading and installing itself. Indeed, to become infected, a user must give permission to the software four times. LizaMoon asks the user to install a piece of rogue antivirus software to remove various non-existent "viruses" from the PC. The rogue AV software that is installed is called Windows Stability Center. As of April 1, the file that is downloaded is currently detected by only 13 of 43 anti-virus engines according to VirusTotal.[5]

See also[edit]


  1. ^ Stacy Cowley (2011-04-01). "LizaMoon attack infects millions of websites". CNN Money. Retrieved 2011-04-01. 
  2. ^ Reuters (2011-04-01). "Malicious Web attack hits a million site addresses". Reuters. Retrieved 2011-04-01. 
  3. ^ Provos, Niels. "Lizamoon SQL Injection Campaign Compared". Retrieved 7 April 2011. 
  4. ^ Landesman, Mary. "Lizamoon – Much Ado About Very Little". Retrieved 7 April 2011. 
  5. ^ Langa, Fred. "LizaMoon infection: a blow-by-blow account". Retrieved 7 April 2011. 

Additional sources[edit]