Follow @BPSPro

LizaMoon – LizaMoon SQL Injection, LizaMoon Website Infection, LizaMoon Computer Infection

1 Comment RSS Site Feed Author: AITpro Admin
Published: April 2, 2011
Updated: April 4, 2011

First off if you have a WordPress website and have BulletProof Security installed then your WordPress website is completely protected from being infected or hacked by the LizaMoon SQL Injection attack.  The SQL Injection filters in BulletProof Security will completely block the LizaMoon SQL Injection attack.

Most websites are reporting that this is a relatively harmless form of website attack that will not lead to serious computer infection, but I see a huge red flag in one of the functions of the LizaMoon virus program.  The Windows Sysinternals Process Explorer is not allowed to load or killed by the LizaMoon virus so you can’t see what is going on with processes on your computer system.  What are the hackers trying to hide?  If my suspicions are correct then this is a variant of a very high level Facebook drive by virus that infected computers last Fall.  The utility that I used that exposed this virus program on that computer was the Sysinternals Process Explorer.  It made it obviously clear right away that something was running on that computer system that should not have been and also exposed that it was a very sophisticated self contained program running at the core system level.

The similarities in the visual design are very similar to the LizaMoon SQL Injection hack.  Before I can say with any certainty that this is something that people should be very concerned about I will need to infect a computer and see how deep it goes.  The Facebook drive by virus appeared to only be a nuisance, but I discovered that a computer that was not protected with a software Firewall was being remotely controlled.  That computer was protected with Anti-virus software.   How was this done?  The virus went right for the core of the Windows Operating System – the .NET Framework.   This is an area of the Microsoft Windows Operating Systems that most people are not familiar with or are not even aware that it exists.

Read this Wiki page on the .NET Framework and .NET Assemblies for information on the .NET Framework.

The Facebook drive by virus appeared to be only a nuisance intentionally in order to mislead people into thinking there was nothing to worry about.  The design and idea of that particular virus was to make people only see the surface attack and not look deeper into a very well hidden and completely silent program that was running in the background.  That virus program gave the hackers full remote control of your computer whether or not you had the desktop remote control service turned off.  The level that the virus program was written for was well beneath the surface systems.  The virus program was an assembly that was written for the core .NET Framework.  Have you ever wondered how Microsoft sends you notifications that updates are available if you have everything turned off?  The core exectutable program that handles this is the Microsoft Distributed Transaction Coordinator (MSDTC).  What is MSDTC?  It is the executable that performs the transaction coordination role for components, usually with COM and .NET architectures.

As I stated above I have not yet confirmed that the LizaMoon SQL Injection attack could also contain code that could infect your computer at the core .NET Framework, but all the signs indicate that this is a more advanced variant of that same virus program.  I will know conclusively once I have infected a computer system and checked the .NET Assemblies for the program or a similar program.  The Facebook virus was a full blown desktop remote control program added to the core .NET Framework that was designed to avoid any detection with the end goal appearing to be to allow a remote hacker to see every file on your computer because they had complete remote control of the system.  If you store sensitive financial information on your computer system, like bank account information, then this information would be compromised.

So I would advise that until the LizaMoon virus can be truly labeled as harmless, deep inspection of the .NET Framework Assemblies must be done on a computer that has been infected.  I will post results here once I have had a chance to infect a computer and fully diagnose the payload and capabilities of the program.  I am hoping that I find nothing, but I am expecting that I will find another similar remote desktop control program in the assemblies.

Skip to toolbar