[ISN] Google smacks down Santy worm

InfoSec News isn at c4i.org
Thu Dec 23 04:15:00 EST 2004


By Paul Roberts
IDG News Service

Web search engine company Google is blocking efforts by a new Internet
worm to use its search engine to find vulnerable computers on the
Internet, the company announced late Tuesday.

Google is blocking searches launched by Santy.A, a new Internet worm
that targets servers running phpBB, a popular electronic bulletin
board software package, according to a statement from the company.  
Without any native ability to scan for vulnerable computers, Google's
action halted Santy.A's spread, according to anti-virus companies.

Santy.A targets servers running phpBB. Anti-virus companies first
detected the worm Tuesday, though it may have been spreading silently
well before that, according to Johannes Ullrich, chief technology
officer at The SANS Institute's Internet Storm Center.

The worm used a vulnerability in phpBB, an open source software
product that is managed by the phpBB Group, to spread across the
Internet, infecting computer servers that host online bulletin boards
and defacing those sites with the words "This site is defaced!!!  
NeverEverNoSanity WebWorm."

A phpBB component called viewtopic.php allows malicious commands to be
passed to and executed on servers that run a vulnerable version of the
phpBB software. Secunia, a Copenhagen-based security company, first
reported the vulnerability on Nov. 19. An updated version of phpBB
software that fixes the flaw was released on Nov. 18.

Estimates of the impact of the Santy worm vary widely. Searches on a
beta version of Microsoft's MSN Search feature for the text used to
deface sites returned more than 30,000 hits. However, identical
searches on other engines, including the official MSN Search engine,
Yahoo and Google search engines returned far fewer hits, ranging from
785 (MSN) to 2,030 (Yahoo).

Using searches for telltale signs of infection, such as defacement
text, is an inexact way to determine the actual number of Santy
infections, said Ullrich.

"Santy will only deface sites if it can overwrite files, and it may
not always be able to do that based on the configuration of the Web
server (running phpBB)," he said.

Also, an analysis of the Santy code revealed that the worm spread
quietly for a while, infecting phpBB servers but not overwriting files
and defacing the bulletin boards, Ullrich said.

The Santy worm marked some firsts, including the use of a popular
search engine as part of a worm's spreading mechanism. But the lessons
to be learned from Santy's spread are already well established: keep
on top of software patches and "harden" the configuration of
public-facing servers by preventing users from being able to take
unnecessary actions, such as overwriting files, he said.

More information about the ISN mailing list