February 2011

LizaMoon attack: This was not an
April fool's Joke, or maybe it was

By Rick Smith

rants@vcmail.net 

Liza Moon sounds benign — maybe a female singer or a movie star, but don't be fooled. It's the name attached to a cyberattack that, according to PC World Magazine, compromised more than 1 million websites starting March 29. PC World, attributing the information to Websense, said the attack was discovered at the website lizamoon.com, hence its name. PC World said some experts called the attack "one of the biggest mass-injection attacks we've ever seen," wrote Sarah Jacobsson Purewall.

The attack adds an infected script to a website to direct visitors to a rouge AV site. The rouge site "tries to get people to install a fake antivirus program called Windows Stability Center," the magazine said.

"The attack continues to rampage across the Internet, and currently doesn't show any signs of slowing down," the magazine reported April 1. So don't install any web-based antivirus software that claims your computer is full of bugs."

In a follow-up blog later in the day, blogger Tony Bradley quoted Websense as saying the attack does not indicate a weakness in Microsoft SQL Server. "Everything points to [the likelihood] that this is a vulnerability in a web application. We don't know which one(s) yet but SQL Injection attacks work by issuing SQL commands in un-sanitized input to the server. That doesn't mean it's a vulnerability in the SQL Server itself, it means that the Web application isn't filtering input from the user correctly," a Websense FAQ said.

Bradley said the attack should not be a danger to careful computer users. When visitors reach the rogue AV site, they get a pop-up warning that the PC is infected. Users who click OK start a fake scan that results in a message that many malware threats have been detected. If users click on "Remove All" to get rid of the supposed threats, they download the rouge AV software.

"There is no reason that any user should ever fall for a rogue AV scam," Bradley writes. "You should know whether or not you have AV software installed. If you do, you should be familiar enough with it to recognize what the alert messages and system scan look like. More importantly, when the malware gets to the point where it requires payment to download the full version of the rogue AV alarm bells should be going off in your head."

If you don't have AV software installed, you should be asking yourself where the warning is coming from, he continues. Further, he says, when the malware asks you to pay for software to fix the infection, "you should ask yourself, 'if my PC has software that was able to detect the threat, then scan for and identify the malware on my system, why do I now have to pay to download something else to fix it?' "

It has since been determined that the hacker has been tracked down to 91.220.35.151 (now PLEASE don't go punching that IP address into your Web browser). Sheesh, I had to say that just in case. OK, his registered name is Rusnak Vasil Victorvich in the Ukraine. I'm beginning to think that these people are making so much money right now that they can afford to hire some of the good talent that's out there. These guys are continually thinking up new ways to get around your good old antivirus program. I wonder about the timing of this on April 1. It seems these criminals aren't lacking a sense of humor.

Let me share with you a real-life scenario. Someone I know got infected with a real nasty version of this kind of software. The person completely deleted everything on the PC and started over.

I got the website info that my client visited and went to it to see what would happen. It was bad! My first clue was that Norton Antivirus said I was being attacked. Next thing a pop-up showed up saying I was infected. I immediately tried to execute Windows Task Manager to identify the process and stop it, but when I hit CTRL-ATL-DEL to open the prompt to launch it, it was gone. The other prompts were there: Lock the Computer, Switch User, Log Off, Change a Password. The next choice should have been Task Manager, but it just wasn't there. When I canceled and went to my desktop, it was gone, too.

I disconnected from the Net and checked my personalization, and the control to change my wallpaper was gone also. I then clicked on my Start menu, and it reverted to Windows Classics Style, and all my program groups and Icons were gone. I right clicked on the only thing I had left, which was the Start Button and selected Explore. I clicked on my "C," drive and it was empty. My Lord, in one fell swoop my entire PC was rendered useless and inoperative. At this point I decided to reboot to see what would happen! It took a long time after the initial Windows startup icon, and then it just rebooted. Ooops, this isn't good, I thought. Did this thing actually delete most of my hard drive? Can I ever recover from this?

I started it up again, and this time it did boot. No wallpaper, no programs, no icons and no Task Manager. Hmmm! I restarted in safe mode and found the process that was running and deleted it. I was able to edit the registry and find the key and remove it also.

I restarted and the bug was gone, but my system was devastated. I hooked back up to the Internet and got Internet Explorer to start and went to work on my poor pitiful PC. I first went to the registry and to: HKEY_CURRENT_USER\Software\Mi crosoft\Windows\CurrentVersion\Policies and set disable task manager Hexadecimal value from a 1 to 0. Ahhh, now I have Task manager. Next I went to HKEY_LOCAL_MACHINE\SOFTWAR E\Microsoft\Windows\CurrentVersion\Po licies\System and fixed the wallpaper problem. Ahhh, my beautiful wallpaper was back.

Finally, I went to Windows Explorer and told it to show hidden files and, lo and behold, there were my files. They were dimmed out but now accessible. I clicked on each folder, selected Properties and saw they were marked Hidden. I unselected that and applied it to all subfolders.

Slowly but surely as I went from folder to folder revealing my files my PC started acting Like HAL being reactivated in "2010: Odyssey Two." Finally, my PC was restored. What an ordeal! I will probably never attempt this again, at least not with my own PC. Maybe yours though.

At least I know that I have passed the test. I have passed through the fire and not been burned. My skills are complete. Maybe I should take some hallucinogenic drugs and wait for a vision. I could write a book and do a tour. Become a highly paid speaker and travel the world as some sort of prophet for profit. Start my own reality show --

(Editor's note: At this point I feel it's wise to cut Rick off — and to add the usual warning: Don't try this at home. Editing the registry can be dangerous if you don't know what you're doing.)