Though search results aren't always great indicators of the scope of an attack -- Google search lists each unique URL rather than each domain or site -- they do provide some indication of the scope of the problem when the numbers go up or down, Websense observed.
"We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought," Websense security analysts wrote in a blog Thursday. "All in all, a Google search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack."
Bogus Malware Reports
A user who visits a web page with the injected code is redirected to a bogus Internet site. "Just like most other scareware and rogue AV sites, it shows a pop-up warning saying that your security is at risk and that you have malware and other security issues," said a Websense spokesperson. "And when you click OK, it displays a scanning tool that looks like its going through the hard drive and finding all sorts of malware, but it's all fake, of course."
Users who click "remove all" to fix their fake problems end up downloading an executable rogue AV to their machines. Then when the unsuspecting user starts the rogue tool, it kills whatever program is currently running.
Nothing else happens until the user tries to start the legitimate program again, at which point the scareware displays a fake Trojan alert. If the user then clicks "remove," the rogue AV escalates to the next stage by prompting the user to install the full-blown scareware app.
This second-stage software, which displays the bogus name Windows Stability Center, warns that there are lots of problems on the user's PC. "To fix them you have to pay for the full version of the app," Websense explained.
Antivirus Engines Still Vulnerable
Though the LizaMoon threat is global, Websense reported nearly half the traffic to the scareware's bogus web sites is coming from U.S. Internet users. Other nations where a considerable number of PC users are falling prey to LizaMoon include Canada (9.23 percent), Italy (8.89 percent), Brazil (7.92 percent) and the United Kingdom (7.92 percent).
Websense said there really hasn't been anything this big before and the threat isn't expected to go away anytime soon. The problem is that only 17 out of 43 of the currently available antivirus engines -- from Kaspersky, Microsoft, Sophos, Symantec, Trendmicro, VIPRE and others -- were able to detect the LizaMoon rogue AV as of Friday afternoon, according to web-security firm VirusTotal.
Websense said it's still analyzing the scareware to see how it infects web pages. However, the security firm's researchers suspect that the attack has gained such widespread traction because it has been able to exploit "vulnerabilities in the web systems used by these sites, such as outdated CMS and blog systems."
Posted: 2011-04-01 @ 2:20pm PT