Santy-A Worm Raises Fears Over New Trend

The Santy-A worm, which shows off the first automated Google hacking, has security analysts bracing for a whole new trend.
Posted December 22, 2004

Sharon Gaudin

The rampaging Santy-A worm should be slowing down now that Google has taken its legs out from under it. But the worm, which shows off the first automated Google hacking, has security analysts bracing for a whole new trend.

''Santy-A uses Google to find vulnerable Web applications or password files,'' says Mike Murray, director of vulnerability and exposure research at nCircle Proactive Network Security, a vulnerability management company based in San Francisco. ''It logs in to Google and does a search.''

And Murray says the Santy worm most likely will be only the first of its kind.

''I think we will see Google hacking become more prevalent,'' adds Murray. ''Every search engine has the same problem. It's not jut Google. Their job is to present information in a useful way. This is what they do. Hackers are just going to take advantage of that. It's an extension of the information gathering principle.''

Santy-A was first detected in the wild on Tuesday, Dec. 21.

Google has deactivated queries that the worm needs to propagate, according to John Bambenek, a handler with the SANS Institute's Storm Center. In a posting on the Storm Center's Web site, Bambenek adds, ''This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to relaunch this worm. Time will tell.''

Murray notes that this kind of attack puts Google, and other search engines, in a difficult situation.

''This is a tough place for Google to be in,'' he says. ''They provide information and this exploits that fact. Google then has to figure out what information is bad and what information is good. That puts them in a tough spot. In the large scale scope of things, it will be very difficult for them to combat this going forward. How do they know the intent of searches?''

According to Sophos, Inc., an anti-virus and anti-spam company with a U.S. base in Lynnfield, Mass., the Santy-A worm exploits a vulnerability in a piece of software often used to provide discussion forums and bulletin boards on the web -- phpBB. The worm uses the Google search engine to try and find vulnerable bulletin boards on the web.

The Santy worm, which is written in Perl, spreads to vulnerable phpBB bulletin boards on both Windows-based and Unix-based platforms. Once the worm has spread to three or more servers it will attempt to overwrite all HTM, PHP, ASP, SHTM, JSP and PHTM files with a Web page containing the following message: This site is defaced!!! NeverEverNoSanity WebWorm generation.

''The good news is that this worm only affects Web servers, not users who visit any of these bulletin boards,'' says Graham Cluley, senior technology consultant for Sophos, in a Web posting. ''There have been serious security vulnerabilities found in the phpBB software in the past -- and this incident underlines the importance of all people keeping up-to-date with the latest security patches and fixes.''

Cluley says Sophos analysts believe the Dec. 21 release of Santy-A was specifically designed to coincide with the Christmas holiday... and the fact that a lot of IT personnel will be off from work.

''Can it really be coincidence that a worm which attacks Web bulletin boards is released just as many companies and organizations which run such messageboards are shutting down for Christmas?'' asks Cluley. ''Many Webmasters will be going home early for the holidays. And it's likely this worm will have a greater impact simply because the people who need to be at their desks to fix the problem, are relaxing in front of the fire.''

Sophos advises Webmasters who run the phpBB software to upgrade to the most recent version of the software as soon as possible. Version 2.0.11 of phpBB is believed not to be vulnerable to the worm's method of attack.

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.