| By Fred Langa |
The recent LizaMoon Top Story generated a deluge of reader e-mails!
Some of the letters criticized my actions — but most of the letters requested additional details and some asked excellent “what if?” questions.
The questions and comments about the story fell into several broad categories, broken out below — some with an example question that stands in for many similar ones.
But before I begin, my thanks to all who wrote in — especially to the readers listed at the end of the text. You all helped enormously in tracking down LizaMoon and its details. Thank you!
Where does the ‘LizaMoon’ name come from?
A “LizaMoon” infection actually has two components. The first infects a Web server, and one of the first servers to be attacked was a site called lizamoon.com (now offline, unsurprisingly).
This initial attack rewrites part of a website’s code. Visitors to the compromised site get silently redirected to an external, hostile site. The second site launches a separate attack on visiting PCs. The attack is usually in the form of one of those fake “Your computer is infected! Scan now?” pop-up dialog boxes. Unwary victims think they’re launching some kind of clean-up or security tool, but they’re actually granting permission for malware to run on their machines.
Technically, the actual LizaMoon infection is just the first part of the infection process — a SQL injection attack (MSDN article) on a Web server. But most people refer to LizaMoon as the whole, two-part package.
Why didn’t Security Essentials stop the malware?
An excellent question. I don’t have an answer, but I do agree with those who believe that Microsoft Security Essentials should have caught this infection.