The rampaging Santy-A worm should be slowing down now that Google has
taken its legs out from under it. But the worm, which shows off the first
automated Google hacking, has security analysts bracing for a whole new
trend.
”Santy-A uses Google to find vulnerable Web applications or password
files,” says Mike Murray, director of vulnerability and exposure
research at nCircle Proactive Network Security, a vulnerability
management company based in San Francisco. ”It logs in to Google and
does a search.”
And Murray says the Santy worm most likely will be only the first of its
kind.
”I think we will see Google hacking become more prevalent,” adds
Murray. ”Every search engine has the same problem. It’s not jut Google.
Their job is to present information in a useful way. This is what they
do. Hackers are just going to take advantage of that. It’s an extension
of the information gathering principle.”
Santy-A was first detected in the wild on Tuesday, Dec. 21.
Google has deactivated queries that the worm needs to propagate,
according to John Bambenek, a handler with the SANS Institute’s Storm
Center. In a posting on the Storm Center’s Web site, Bambenek adds,
”This is only a temporary fix, I would imagine, as I’m sure other
queries can be crafted and the same exploit code used to relaunch this
worm. Time will tell.”
Murray notes that this kind of attack puts Google, and other search
engines, in a difficult situation.
”This is a tough place for Google to be in,” he says. ”They provide
information and this exploits that fact. Google then has to figure out
what information is bad and what information is good. That puts them in a
tough spot. In the large scale scope of things, it will be very difficult
for them to combat this going forward. How do they know the intent of
searches?”
According to Sophos, Inc., an anti-virus and anti-spam company with a
U.S. base in Lynnfield, Mass., the Santy-A worm exploits a vulnerability
in a piece of software often used to provide discussion forums and
bulletin boards on the web — phpBB. The worm uses the Google search
engine to try and find vulnerable bulletin boards on the web.
The Santy worm, which is written in Perl, spreads to vulnerable phpBB
bulletin boards on both Windows-based and Unix-based platforms. Once the
worm has spread to three or more servers it will attempt to overwrite all
HTM, PHP, ASP, SHTM, JSP and PHTM files with a Web page containing the
following message: This site is defaced!!! NeverEverNoSanity WebWorm
generation.
”The good news is that this worm only affects Web servers, not users who
visit any of these bulletin boards,” says Graham Cluley, senior
technology consultant for Sophos, in a Web posting. ”There have been
serious security vulnerabilities found in the phpBB software in the past
— and this incident underlines the importance of all people keeping
up-to-date with the latest security patches and fixes.”
Cluley says Sophos analysts believe the Dec. 21 release of Santy-A was
specifically designed to coincide with the Christmas holiday… and the
fact that a lot of IT personnel will be off from work.
”Can it really be coincidence that a worm which attacks Web bulletin
boards is released just as many companies and organizations which run
such messageboards are shutting down for Christmas?” asks Cluley. ”Many
Webmasters will be going home early for the holidays. And it’s likely
this worm will have a greater impact simply because the people who need
to be at their desks to fix the problem, are relaxing in front of the
fire.”
Sophos advises Webmasters who run the phpBB software to upgrade to the
most recent version of the software as soon as possible. Version 2.0.11
of phpBB is believed not to be vulnerable to the worm’s method of attack.