Tuesday, April 5, 2011

Lizamoon attacks and generic detection

You've probably heard by now of the "Lizamoon" attacks, a rapidly spreading bit of SQL injection named for the domain that hosted the script dropped onto a variety of pages across the web. While not a particularly interesting attack from a technical perspective, it's hit enough hosts to be a nuisance, and to get IT managers up in arms about protecting against it.

The good news for anyone running a Sourcefire/Snort box is that, if you've paid attention to this blog in the past, you're already covered. SID 13989, which I referenced in my "Known Unknowns: The 'Don't Do That' Rules" post last May, is the rule you want to make sure is enabled. Originally written to deal with SQL injection attacks similar to the Asprox trojan, it has the handy benefit of picking up a number of different SQL injection attacks that are being obfuscated via use of the char() function (which is exactly how Lizamoon works). Given the lack of false positive reports from the field, and its apparent usefulness in detecting new attacks, we'll be enabling that rule in some of our default policies going forward.

In the meantime, SID 18604 will be released in the next SEU to detect the code dropped onto infected web sites. While that rule is less generic, and thus less likely to pick up entirely different families of malware in the future, it should at least keep your pointy-headed bosses happy when they ask if you're safe from this newfangled Lizamoon thingee.
Add to Technorati Favorites Digg! This
Post a Comment