LizaMoon Malware Attack Infects Millions of Websites


‘LizaMoon,’ a malicious code attack that has already infected more than a million websites.  The world was rocked by LizaMoon–a SQL injection attack which has compromised well over one million Websites. No need to panic, though. A little information and common sense are all you need to make sure that LizaMoon is nothing more than a minor annoyance.

LizaMoon is a SQL injection attack that inserts malicious code on otherwise legitimate sites. However, don’t let the fact that it is called SQL injection cause you to jump to the conclusion that there is a flaw in Microsoft SQL Server.

As the Websense FAQ states, SQL injection is an attack that inserts malicious code into the database server by passing it through a vulnerable Web application. The Web application should have filters in place to filter and sanitize data to prevent rogue commands from passing through, but–as LizaMoon makes glaringly apparent–not all do.

The malicious code injected by LizaMoon redirects visitors from the compromised intended destination to an alternate site pushing rogue antimalware protection. You will see a pop-up warning that your PC is infected. Click OK, and the malicious code performs a fake scan of your system indicating a number of detected malware threats. If you click “Remove All” to eradicate the non-existent threats, you will instead download the real malware–the rogue AV software.

And most websites have protections in place to prevent them from getting infected in the first place. While LizaMoon has infested million of websites, security experts say it’s a run-of-the-mill threat that is mostly hitting obscure, low-traffic sites.

Websense the company that fights to stop these web attacks announced on its online blog: “Every time there’s a mass-injection like this, and there really hasn’t been anything this big before, we try to identify larger systems and sites that have been affected.”

Related Posts Plugin for WordPress, Blogger...


  1. I have several websites that were infected with Malware on April 5th, 2011. However I did not realize that my websites were compromized until 2 weeks later. I am not sure if this was a result of some of my ads on craigslist that took people to my websites, where someone was able to insert malicious code via a wordpress comments, or if they simply guessed my web hosts ftp account credentials and infected me that way. I ended up having to delete all my website files and reload them from a backup. I also found out how to clean the compromized files. So if your websites get hacked, please contact me and I will help you to clean them. I’ll also help you report to Google so they can remove the blocks.

Comments are closed.