Friday, July 29, 2011

Lizamoon/Willsy Detection

Between Lizamoon and Willsy, looking for worms spreading through web attacks on a large number of domains can suck. Using postmodern's gscraper, I wrote a quick script that can check for infection using the same techniques as google-hacking.

It's located at https://github.com/jbc22/Is-Domain-Infected/ . Inside the script, there's a place for you to change the query strings based upon what the current worm does. In the case of Willysy, it's needed to check for:

  • http://willysy.com/images/banners/
  • http://exero.eu/catalog/jquery.js
 (For a writeup, see: http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html)