{"id":2533,"date":"2011-04-02T14:24:39","date_gmt":"2011-04-02T21:24:39","guid":{"rendered":"http:\/\/www.ait-pro.com\/aitpro-blog\/?p=2533"},"modified":"2011-04-04T10:47:13","modified_gmt":"2011-04-04T17:47:13","slug":"lizamoon-lizamoon-sql-injection-lizamoon-website-infection-lizamoon-computer-infection","status":"publish","type":"post","link":"https:\/\/www.ait-pro.com\/aitpro-blog\/2533\/misc-projects\/security-reports-warnings-and-fixes\/lizamoon-lizamoon-sql-injection-lizamoon-website-infection-lizamoon-computer-infection\/","title":{"rendered":"LizaMoon &#8211; LizaMoon SQL Injection, LizaMoon Website Infection, LizaMoon Computer Infection"},"content":{"rendered":"<p>First off if you have a WordPress website and have BulletProof Security installed then your WordPress website is completely protected from being infected or hacked by the LizaMoon SQL Injection attack.\u00a0 The SQL Injection filters in BulletProof Security will completely block the LizaMoon\u00a0SQL Injection attack.<\/p>\n<p>Most websites are reporting that this is a relatively harmless form of website attack that will not lead to serious computer infection, but <strong>I see a huge red flag in one of the functions of the LizaMoon\u00a0virus program.\u00a0 The Windows Sysinternals Process Explorer is not allowed to load or killed by the LizaMoon\u00a0virus so you can&#8217;t see what is going on with processes on your computer system.\u00a0 What are the hackers trying to hide?<\/strong>\u00a0 If my suspicions are correct then this is a variant of a very high level Facebook drive by virus that infected computers last Fall.\u00a0 The utility that I\u00a0used that exposed this virus program\u00a0on that computer\u00a0was the Sysinternals Process Explorer.\u00a0 It made it obviously clear right away that something was running on that computer\u00a0system that should not have been and also exposed that it was a very sophisticated self contained program running at the core system level.<\/p>\n<p>The similarities in the visual design are very similar to the LizaMoon SQL Injection hack.\u00a0 Before I can say with any certainty that this is something that people should be very concerned about I will need to infect a computer and see how deep it goes.\u00a0 The Facebook drive by virus appeared to only be a nuisance, but I discovered that a computer that was not protected with a software Firewall was being remotely controlled.\u00a0 That computer was protected with Anti-virus software.\u00a0 \u00a0How was this done?\u00a0 The virus went right for the core of the Windows Operating System &#8211; the .NET Framework.\u00a0\u00a0 This is an area of the Microsoft Windows Operating Systems that most people are not familiar with or are not even aware that it exists.<\/p>\n<p>Read this <span class=\"bluelink\"><a title=\"Wiki .NET Framework Explained\" href=\"http:\/\/en.wikipedia.org\/wiki\/.NET_framework\" target=\"_blank\">Wiki page on the .NET Framework and .NET Assemblies <\/a><\/span>for information on\u00a0the .NET Framework.<\/p>\n<p>The Facebook drive by virus appeared to be only a nuisance intentionally in order to mislead people into thinking there was nothing to worry about.\u00a0 The design and idea of that particular virus was to make people only see the surface attack and not look deeper into a very well hidden and completely silent program that was running in the background.\u00a0 That virus program gave the hackers full remote control of your computer whether or not you had the desktop remote control service turned off.\u00a0 The level that the virus program was written for was well beneath the surface systems.\u00a0 The virus program was an assembly that was written for the core .NET Framework.\u00a0 Have you ever wondered how Microsoft sends you notifications that updates are available if you have everything turned off?\u00a0 The core exectutable program that handles this is the Microsoft Distributed Transaction Coordinator (MSDTC).\u00a0 What is MSDTC?\u00a0 It is the executable that\u00a0performs the transaction coordination role for components, usually with COM and .NET architectures.<\/p>\n<p>As I stated above I have not yet confirmed that the LizaMoon SQL Injection attack could also contain\u00a0code that could infect your computer at the core .NET Framework, but all the signs indicate that this is a more advanced variant of that same virus program.\u00a0 I will know conclusively once I have infected a computer system and checked the .NET Assemblies for the program or a similar program.\u00a0 The Facebook virus was a full blown desktop remote control program added to the core .NET Framework that was designed to avoid any detection with the\u00a0end goal appearing to be to allow a remote hacker to\u00a0see every file on your computer because they had complete remote control of the system.\u00a0 If you store sensitive financial information on your computer system, like bank account information, then this information would be compromised.<\/p>\n<p>So I would advise that until the LizaMoon virus can be truly labeled as harmless, deep inspection of the .NET Framework Assemblies must be done on a computer that has been infected.\u00a0 I\u00a0will post results here once I have had a chance to infect a computer and fully diagnose the payload and capabilities of the program.\u00a0 I am hoping that I find nothing, but I am expecting that I will find another similar remote desktop control\u00a0program in the assemblies.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>First off if you have a WordPress website and have BulletProof Security installed then your WordPress website is completely protected from being infected or hacked by the LizaMoon SQL Injection attack.\u00a0 The SQL Injection filters in BulletProof Security will completely block the LizaMoon\u00a0SQL Injection attack. Most websites are reporting that this is a relatively harmless [&hellip;]<\/p>\n","protected":false},"author":167,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_links_to":"","_links_to_target":""},"categories":[311],"tags":[365,363,366,367,364],"class_list":["post-2533","post","type-post","status-publish","format-standard","hentry","category-security-reports-warnings-and-fixes","tag-lizamoon-computer-infection","tag-lizamoon-sql-injection","tag-lizamoon-website-attack","tag-lizamoon-website-hack","tag-lizamoon-website-infection"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2533","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/users\/167"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/comments?post=2533"}],"version-history":[{"count":0,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/posts\/2533\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/media?parent=2533"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/categories?post=2533"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ait-pro.com\/aitpro-blog\/wp-json\/wp\/v2\/tags?post=2533"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}