Google smacks down Santy worm

Search engine company says it is blocking searches launched by worm

Web search engine company Google Inc. is blocking efforts by a new Internet worm to use its search engine to find vulnerable computers on the Internet, the company said.

Google is blocking searches launched by Santy.A, a new Internet worm that targets servers running phpBB, a popular electronic bulletin board software package, according to a statement from the company. Since Santy.A doesn't have any native ability to scan for vulnerable computers, Google's action halted the worm's spread, according to antivirus companies.

Santy.A targets servers running phpBB. Antivirus companies first detected the worm Tuesday, though it may have been spreading silently well before that, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center (See story).

The worm used a vulnerability in phpBB, an open-source software product that is managed by the phpBB Group, to spread across the Internet, infecting computer servers that host online bulletin boards and defacing those sites with the words "This site is defaced!!! NeverEverNoSanity WebWorm."

A phpBB component called viewtopic.php allows malicious commands to be passed to and executed on servers that run a vulnerable version of the phpBB software. Secunia, a Copenhagen-based security company, first reported the vulnerability Nov. 19. An updated version of phpBB software that fixes the flaw was released on Nov. 18.

Estimates of the impact of the Santy worm vary widely. Searches conducted using a beta version of Microsoft Corp.'s MSN Search tool for the text used to deface sites returned more than 30,000 hits. However, identical searches using other engines, including the official MSN Search engine and those of Yahoo Inc. and Google, returned far fewer hits. The results ranged from 785 hits on MSN to 2,030 on Yahoo.

However, using searches for telltale signs of infection, such as defacement text, is an inexact way to determine the actual number of Santy infections, said Ullrich.

"Santy will only deface sites if it can overwrite files, and it may not always be able to do that based on the configuration of the Web server [running phpBB]," he said.

Also, an analysis of the Santy code revealed that the worm spread quietly for a while, infecting phpBB servers but not overwriting files and defacing the bulletin boards, Ullrich said.

The Santy worm featured some firsts. For example, it was the first worm to use a popular search engine as part of its means of propagating itself. However, the lessons to be learned from Santy's spread are already well established: Keep on top of software patches and "harden" the configuration of public-facing servers by preventing users from being able to take unnecessary actions, such as overwriting files, Ullrich said.

Copyright © 2004 IDG Communications, Inc.

9 steps to lock down corporate browsers
  
Shop Tech Products at Amazon