Saturday, June 22, 2024

Santy-A Worm Raises Fears Over New Trend

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The rampaging Santy-A worm should be slowing down now that Google has

taken its legs out from under it. But the worm, which shows off the first

automated Google hacking, has security analysts bracing for a whole new


”Santy-A uses Google to find vulnerable Web applications or password

files,” says Mike Murray, director of vulnerability and exposure

research at nCircle Proactive Network Security, a vulnerability

management company based in San Francisco. ”It logs in to Google and

does a search.”

And Murray says the Santy worm most likely will be only the first of its


”I think we will see Google hacking become more prevalent,” adds

Murray. ”Every search engine has the same problem. It’s not jut Google.

Their job is to present information in a useful way. This is what they

do. Hackers are just going to take advantage of that. It’s an extension

of the information gathering principle.”

Santy-A was first detected in the wild on Tuesday, Dec. 21.

Google has deactivated queries that the worm needs to propagate,

according to John Bambenek, a handler with the SANS Institute’s Storm

Center. In a posting on the Storm Center’s Web site, Bambenek adds,

”This is only a temporary fix, I would imagine, as I’m sure other

queries can be crafted and the same exploit code used to relaunch this

worm. Time will tell.”

Murray notes that this kind of attack puts Google, and other search

engines, in a difficult situation.

”This is a tough place for Google to be in,” he says. ”They provide

information and this exploits that fact. Google then has to figure out

what information is bad and what information is good. That puts them in a

tough spot. In the large scale scope of things, it will be very difficult

for them to combat this going forward. How do they know the intent of


According to Sophos, Inc., an anti-virus and anti-spam company with a

U.S. base in Lynnfield, Mass., the Santy-A worm exploits a vulnerability

in a piece of software often used to provide discussion forums and

bulletin boards on the web — phpBB. The worm uses the Google search

engine to try and find vulnerable bulletin boards on the web.

The Santy worm, which is written in Perl, spreads to vulnerable phpBB

bulletin boards on both Windows-based and Unix-based platforms. Once the

worm has spread to three or more servers it will attempt to overwrite all

HTM, PHP, ASP, SHTM, JSP and PHTM files with a Web page containing the

following message: This site is defaced!!! NeverEverNoSanity WebWorm


”The good news is that this worm only affects Web servers, not users who

visit any of these bulletin boards,” says Graham Cluley, senior

technology consultant for Sophos, in a Web posting. ”There have been

serious security vulnerabilities found in the phpBB software in the past

— and this incident underlines the importance of all people keeping

up-to-date with the latest security patches and fixes.”

Cluley says Sophos analysts believe the Dec. 21 release of Santy-A was

specifically designed to coincide with the Christmas holiday… and the

fact that a lot of IT personnel will be off from work.

”Can it really be coincidence that a worm which attacks Web bulletin

boards is released just as many companies and organizations which run

such messageboards are shutting down for Christmas?” asks Cluley. ”Many

Webmasters will be going home early for the holidays. And it’s likely

this worm will have a greater impact simply because the people who need

to be at their desks to fix the problem, are relaxing in front of the


Sophos advises Webmasters who run the phpBB software to upgrade to the

most recent version of the software as soon as possible. Version 2.0.11

of phpBB is believed not to be vulnerable to the worm’s method of attack.

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles