Google helped shut down a spreading computer worm this week by denying the malicious software’s use of its search engine, but the Santy.A worm still marks a troubling trend toward attack via Web sites and search technology, security experts warned.
Santy.A started spreading Tuesday and attempted to exploit a vulnerability in the phpBB bulletin board program, which is used by many Internet sites. The worm spread without any user interaction and was using Google’s search engine to find vulnerable sites.
Reports on the scope of the outbreak were varied, but some estimates indicated nearly 40,000 sites had been compromised. While Google won praise for responding to the worm and shutting down Santy’s use of the popular search engine, experts cautioned that search engines have become both an appealing tool and a target for virus authors and other Internet ill doers.
“There’s a multitude of ways a search engine has valuable information that can be used by attackers,” iDefense director of malicious code intelligence Ken Dunham told TechNewsWorld. “The other thing we have to realize is search engines are starting to be used against us as of 2004.”
Security firms signaled Santy.A was spreading rapidly on the Internet earlier in the week, indicating that the worm appeared to be leveraging a phpBB vulnerability reported November 29.
Dunham called the exploitation an unsettling reminder of how fast vulnerabilities are now exploited, adding that source code for the worm was available online and attackers were likely to use Google and other search engines for similar attacks going forward.
“The lifecycle for emerging threats is continually shrinking,” Dunham said. “Exploitation of new vulnerabilities is down to days and weeks, instead of months and years.”
Dunham said the Santy.A worm — which defaced compromised Web sites with a message: “This site is defaced!!! NeverEver NoSanity” — marked a trend toward search engines assisting in attacks.
“This year, we saw search engines were starting to be used by attackers to spread malicious code,” Dunham said. “They harvest e-mail addresses as well as find computers or servers that may use a certain component of software that may be vulnerable.”
Richard Stiennon, Webroot vice president of threat research, told TechNewsWorld that the increasing number of desktop search tools — now coming out from Google, Yahoo, MSN and others — may also be leveraged by attackers.
Commenting on a separate security issue in Google’s beta desktop search that was addressed earlier this week, Stiennon said he would not be surprised to see hackers try to secretly download search tools in attacking computer users.
Dunham said Google had done a good job responding to the Santy.A outbreak and by blocking the worm’s ability to search for new victims, stifled its spread.
“Google played a significant role in helping to shut down the significant spread of the worm on the Internet,” Dunham said.
Echoing other security experts and advisories that urged up-to-date patching, Dunham said Internet site and server owners must also be cautious about disclosing information about the technology behind their sites.