A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.
The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement.
Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.
"Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."
The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.
The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack.
A search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software--returned 6 million hits, an indication of the popularity of phpBB. The actual number of sites is likely much lower, since the acknowledgement is appended to multiple pages on a single bulletin board site.
"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week.
Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.
After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.
Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.
The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.
"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."
Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.
I would concur that this is not the fault of Google. Nor is this the fault of phpBB. Such hacked websites are the fault of those end-users of phpBB that have not upgraded their instance of phpBB. As one of the co-founders of phpBB I have simply lost count of the times I've told people running older versions of phpBB to "upgrade before you get hit!". Sadly it rarely does any good. If blame is to be put it rests solely on the individual administrators of phpBB users. Like a server that get's hacked because the server is improperly updated or configured, so this entire instant of Santy.a is the directly result of unresponsible owners of software. As MicroSoft continues to say "run windows update", so it should be clearly understood that all of us running software should continue to check for version updates. Be it Windows, *nix, OS Software, Server software, or the like.
I would concur that this is not the fault of Google. Nor is this the fault of phpBB. Such hacked websites are the fault of those end-users of phpBB that have not upgraded their instance of phpBB. As one of the co-founders of phpBB I have simply lost count of the times I've told people running older versions of phpBB to "upgrade before you get hit!". Sadly it rarely does any good. If blame is to be put it rests solely on the individual administrators of phpBB users. Like a server that get's hacked because the server is improperly updated or configured, so this entire instant of Santy.a is the directly result of unresponsible owners of software. As MicroSoft continues to say "run windows update", so it should be clearly understood that all of us running software should continue to check for version updates. Be it Windows, *nix, OS Software, Server software, or the like.
i have seen google used before for nefarious (i butchered the spelling. ;p) purposes, such as at <a class="jive-link-external" href="http://johnny.ihackstuff.com/" target="_newWindow">http://johnny.ihackstuff.com/</a>. There is even a book now out about how to use google to hack. In my oppinion this is no fault of googles, and they have in the past been quick to fix these "google hacks." Im sure it is being worked on...
i have seen google used before for nefarious (i butchered the spelling. ;p) purposes, such as at <a class="jive-link-external" href="http://johnny.ihackstuff.com/" target="_newWindow">http://johnny.ihackstuff.com/</a>. There is even a book now out about how to use google to hack. In my oppinion this is no fault of googles, and they have in the past been quick to fix these "google hacks." Im sure it is being worked on...
Spread Google Chrome,the new google browser, help to spread the word, join our community and invite your friends please <a class="jive-link-external" href="http://www.spreadgooglechrome.com" target="_newWindow">http://www.spreadgooglechrome.com</a>
really? i wasn't aware of it... and what if i use an internet security suite? will that help me stay protected from these online threats? i'm using[url=http://www.trustdownload.com/Antivirus-and-Spyware-Cleaners/Antivirus/Kaspersky-Internet-Security-7.0.html] KAV 7[/url]...
really? i wasn't aware of it... and what if i use an internet security suite? will that help me stay protected from these online threats? i'm using KIS 7 downloaded rom here : http://www.trustdownload.com/Antivirus-and-Spyware-Cleaners/Antivirus/Kaspersky-Internet-Security-7.0.html
Mozilla plans to release a beta version this year for Microsoft's upcoming Windows interface. It'll be a lot of work, but Mozilla doesn't really have a choice.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
The space agency powers down its last System Z machine, years after IBM stopped selling them for the mathematical calculation jobs for which NASA originally bought them.
A group calling itself Evil Shadow Team reportedly hacked into Microsoft's online store in India, stealing usernames and passwords of the site's customers.
Do we really want to insist that Google start censoring their service because it produces results that can be used for bad things?
Do we really want to insist that Google start censoring their service because it produces results that can be used for bad things?
<a class="jive-link-external" href="http://www.spreadgooglechrome.com" target="_newWindow">http://www.spreadgooglechrome.com</a>