posted by Corrado Cau on Tue 28th Dec 2004 19:18 UTC
IconLast week a new worm started spreading on the Internet. It's named Santy, and it attempts to deface websites using specific versions of the popular phpBB bulletin board software. Is this just a run-of-the-mill worm causing minor damage to a few thousand websites? Yes. But it's also got something we've never seen before.

In total, the worm seems to have compromised about 1 website in 150, among those using phpBB (less than 40,000 websites, on an estimated user base exceeding six million sites). Not too many, that is.

In fact, the phpBB vulnerability being exploited by the worm was already known, and administrators were advised to patch their installations as soon as possible, since the flaw was quite critical.

So far, nothing new... A new worm hitting the internet isn't something very thrilling these days, especially when it is neither that aggressive nor extremely devastating.

Yet, the Santy worm sported a relatively new "feature": it was using the Google search engine in order to automatically find its next victims; as far as I know, this might well be the first time such a creative use of search engines has been adopted by a worm spotted in the wild.

We've already seen automated programs (mainly spiders, but recently also a few viruses) using search engines for collecting e-mail addresses and other pieces of information, but the idea of Google hacking for vulnerabilities was until now only used by human crackers, not by smart worms.

So, are we witnessing the dawn of a new era in malware? The short answer is probably yes.

Santy is written in Perl, a very popular scripting language, and its source code is already appearing on "selected" websites on the 'net. It's only a matter of time before someone starts hacking the Santy source code in order to adapt it to new targets.

Fortunately Google took action quite promptly, and in a little more than six hours it started rejecting queries from the worm instances; this was relatively easy to accomplish, for the worm always submitted the same query to the search engine.

So this time we were able to cut the worm's supply line in less than half a day; I'd bet the next incarnation of Santy will feature differentiated queries to multiple search engines...

Be prepared, and keep on patching your software!

Corrado Cau has worked in IT for 15-plus years, spending most of his career as a system and network administrator on many platforms. Since a few years he's more and more involved in managing IT security matters.

Related Links:

F-Secure WebLog
Google hacking

e p (0)    58 Comment(s)

Technology White Papers

See More