[ISN] Google worm targets AOL, Yahoo

InfoSec News isn at c4i.org
Wed Dec 29 01:31:50 EST 2004


By Paul Festa 
Staff Writer, CNET News.com
December 28, 2004

Update: Days after Google acted to thwart the Santy worm, security
firms warned that variants have begun to spread using both Google and
other search engines.

The Santy problem originally flared up a week ago as bulletin board
Web sites found their pages erased and defaced by the worm's own text.  
The worm spread by targeting pages that used vulnerable versions of
the PHP Bulletin Board (phpBB) software, and used Google to locate
those pages.

After Google took measures to prevent the worm from executing Google
searches for the faulty bulletin board software, Santy variants are
making the rounds using AOL and Yahoo search, according to security
firms, and are still targeting Google as well.

"Perl.Santy.B is a worm written in Perl script that attempts to spread
to Web servers running versions of the phpBB 2.x bulletin board
software prior to 2.0.11," warned Symantec in a Dec. 26 bulletin. "It
uses AOL or Yahoo search to find potential new infection targets."

AOL, which uses Google for its underlying search technology, said on
Tuesday that its search engine should benefit from whatever protective
measures Google implemented.

"Google is only returning results associated with sites not vulnerable
to the exploit packed by Perl.Santy," said AOL spokesman Andrew
Weinstein. "So, as the issue has been handled by Google, we're able to
say that we're blocking requests of this type."

Yahoo, which dumped Google's search technology in February, could not
be reached for comment.

Several other variants are cropping up. Santy.c targets Google once
again. Kaspersky Labs today renamed Santy.d and Santy.e Spyki.a and
b., citing significant differences in the worms' structure from
earlier Santies. The security firm also said the new worms were using
the Brazilian Google for their exploits.

Security researches last week faulted Google for not responding more
swiftly to the emerging Santy threat.

The Santy worm and its variants affect only targeted bulletin board
sites and do not pose a threat to Web surfers who visit them.

More information about the ISN mailing list