Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Malware March Madness: College basketball wasn't the only thing on the agenda

In March, there was a resurgence in the number of LizaMoon SQL injection attacks, as well as an increase in malicious iframe injections, JavaScript malware, and the Blackhole exploit kit
In March, there was a resurgence in the number of LizaMoon SQL injection attacks, as well as an increase in malicious iframe injections, JavaScript malware, and the Blackhole exploit kit

In March, there was a resurgence in the number of LizaMoon SQL injection attacks, as well as an increase in malicious iframe injections, JavaScript malware, and the Blackhole exploit kit, the report found.

The report is based on analysis of web traffic traversing Zscaler’s cloud, which amounts to 200 billion transactions per quarter.

LizaMoon, named after the domain name of an injected script tag, was first identified in March 2011. The LizaMoon attacker injects script tags into vulnerable web pages.

“A year later, we are still seeing this campaign underway, with various peaks and valleys as the attack adapts over time”, Zscaler observed in its report. In March 2012, tens of thousands of additional websites were compromised as part of the renewed LizaMoon campaign, it noted.

The LizaMoon attacks are an “ongoing campaign because they compromised so many websites at once. It takes a while for websites to be cleaned up. And then it will go through another iteration of compromising a bunch of websites. So then there will be a spike. March was the spike, and we are probably in the decline period”, Mike Geide, senior security researcher for Zscaler ThreatLabZ, told Infosecurity.

Geide noted that there was also a spike in WordPress compromises, mostly notably by the Flashback malware that infected hundreds of thousands of Macs.

“Flashback was a payload that was delivered from the mass WordPress compromise. Initially, the WordPress compromise was redirecting people to the Blackhole exploit kit website. Bundled in with the Blackhole exploit kit was an exploit for the particular Java vulnerability that was leveraged in Flashback”, he explained. “March was an interesting time for all of those activities”, he added.

The report found that 35% of installed Adobe Shockwave plug-ins in the first quarter were outdated, down from 52% in the previous quarter, indicating that Shockwave users are doing a better job of updating their plug-ins. However, 63% of Adobe Reader plug-ins were outdated in the first quarter.

In addition, 10% of the websites tested by Zscaler ThreatLabZ’s Zulu, a free service to detect malicious websites, were identified as malicious. “Zulu is geared toward people submitting malicious websites, so there is a reason why they are submitting them in the first place. So one in 10 isn’t surprising”, Geide said.

The report also found that Apple device usage in the enterprise surged (on average) to 48% of traffic, while Android declined to 37% in the first quarter, from 40% and 42%, respectively, in the previous quarter.
Also, Facebook accounted for 41% of Web 2.0 traffic, down from 43% in the fourth quarter and 52% at the same time last year. Taken on average, this means a 2.8% drop in Facebook use per quarter. However, Twitter use is on a slow and steady rise, up from 5% in first quarter of 2011 to 7% this quarter.

Social networking sites accounted for 4% of policy blocks in the enterprise by the end of the first quarter, whereas at the beginning of the quarter it accounted for only 2.5%, according to the report.

What’s Hot on Infosecurity Magazine?