Net worm using Google to spread

By Robert Lemos
Staff Writer, CNET News

7 comments

Related Stories: Patches slapped on serious PHP flaws
December 17, 2004; Google fixes security hole
October 20, 2004; Google queries provide stolen credit cards
August 3, 2004; Google a favorite among hackers, too
July 29, 2004

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

"Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.

A search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software--returned 6 million hits, an indication of the popularity of phpBB. The actual number of sites is likely much lower, since the acknowledgement is appended to multiple pages on a single bulletin board site.

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.

See more CNET content tagged:
worm, PHP, antivirus company, Google Inc., victim

Add a Comment (Log in or register) (7 Comments)

How is this Google's fault?

by December 21, 2004 11:00 PM PST

It doesn't pay to be the biggest, or the best.

Do we really want to insist that Google start censoring their service because it produces results that can be used for bad things?

Like this Reply to this comment

Googles Fault? phpBB's Fault? End-Users Fault !!
by December 28, 2004 9:17 AM PST: I would concur that this is not the fault of Google. Nor is this the fault of phpBB. Such hacked websites are the fault of those end-users of phpBB that have not upgraded their instance of phpBB. As one of the co-founders of phpBB I have simply lost count of the times I've told people running older versions of phpBB to "upgrade before you get hit!". Sadly it rarely does any good. If blame is to be put it rests solely on the individual administrators of phpBB users. Like a server that get's hacked because the server is improperly updated or configured, so this entire instant of Santy.a is the directly result of unresponsible owners of software. As MicroSoft continues to say "run windows update", so it should be clearly understood that all of us running software should continue to check for version updates. Be it Windows, *nix, OS Software, Server software, or the like.; Like this

How is this Google's fault?

by December 21, 2004 11:00 PM PST

It doesn't pay to be the biggest, or the best.

Do we really want to insist that Google start censoring their service because it produces results that can be used for bad things?

Like this Reply to this comment

Googles Fault? phpBB's Fault? End-Users Fault !!
by December 28, 2004 9:17 AM PST: I would concur that this is not the fault of Google. Nor is this the fault of phpBB. Such hacked websites are the fault of those end-users of phpBB that have not upgraded their instance of phpBB. As one of the co-founders of phpBB I have simply lost count of the times I've told people running older versions of phpBB to "upgrade before you get hit!". Sadly it rarely does any good. If blame is to be put it rests solely on the individual administrators of phpBB users. Like a server that get's hacked because the server is improperly updated or configured, so this entire instant of Santy.a is the directly result of unresponsible owners of software. As MicroSoft continues to say "run windows update", so it should be clearly understood that all of us running software should continue to check for version updates. Be it Windows, *nix, OS Software, Server software, or the like.; Like this

hmm... not the first time
by December 22, 2004 11:21 PM PST: i have seen google used before for nefarious (i butchered the spelling. ;p) purposes, such as at http://johnny.ihackstuff.com/. There is even a book now out about how to use google to hack. In my oppinion this is no fault of googles, and they have in the past been quick to fix these "google hacks." Im sure it is being worked on...; Like this Reply to this comment

hmm... not the first time
by December 22, 2004 11:21 PM PST: i have seen google used before for nefarious (i butchered the spelling. ;p) purposes, such as at http://johnny.ihackstuff.com/. There is even a book now out about how to use google to hack. In my oppinion this is no fault of googles, and they have in the past been quick to fix these "google hacks." Im sure it is being worked on...; Like this Reply to this comment


by tomawebdev September 2, 2008 11:51 AM PDT: Spread Google Chrome,the new google browser, help to spread the word, join our community and invite your friends please
http://www.spreadgooglechrome.com; Like this Reply to this comment

(7 Comments)

Latest tech news headlines

Is Ohai is the next big thing in social games?
Posted in Software, Interrupted by Dave Rosenberg

November 15, 2009 9:55 PM PST
IBM launches private business analytics cloud
Posted in News - Business Tech by Larry Dignan

November 15, 2009 9:35 PM PST
Jaguar supercomputer races past Roadrunner in Top500
Posted in Circuit Breaker by Erica Ogg

November 15, 2009 9:00 PM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Google (0.00%) 0.00 572.05; Dow Jones Industrials (0.00%) 0.00 10,270.47; S&P 500 (0.00%) 0.00 1,093.48; NASDAQ (0.00%) 0.00 2,167.88; CNET TECH (0.00%) 0.00 1,587.17

Inside CNET News

Scroll Left Scroll Right

Business Tech
IBM launches private business analytics cloud
Blue Insight--Big Blue's massive business analytics cloud--is will hold more than a petabyte of data.
Gallery
Photos: Random Hack of Kindness
Technically Incorrect
Gates: Apple is 'a force in doing good things'
During a CNBC special in which he appeared with Warren Buffett, Microsoft's Bill Gates is effusive in his praise for Steve Jobs and Apple.
Microsoft
Hackers bypass Windows 7 activation
Coders have found a way to disable the normal activation requirements of Microsoft's latest operating system, although Redmond says it is working to shore up its antipiracy protections.
Video
Exploratorium's shocking 40th anniversary kicks off
Software, Interrupted
Managing your mobile data sync
As users become more comfortable with cloud services, they need to be aware of who they are trusting with their data.
Video
A new workout for the Wii
The Social
Running a contest on Facebook? That'll cost you
The social network tightened its rules for companies running contests on its platform last week, and sources say those companies will be required to buy ad space too.
InSecurity Complex
Hackers create tools for disaster relief
At the first-ever Random Hacks of Kindness event, developers work on technology tools that emergency relief workers can use in disasters.
Gallery
Photos: Top-rated reviews of the week
The Cheapskate
Killer deals on BlackBerry, Droid, and Palm Pixi
Make $100 on a BlackBerry, score a Motorola Droid for $120, or scoop up a pixie-cute Palm Pixi for 25 bucks. As always, however, plan on a two-year stint with the carrier.
Green Tech
Nissan says all-electric Leaf will compete on price
Kicking off a marketing tour for the all-electric vehicle, CEO says price will be "key to the mass market" but that it's too early to say what that price will be.