Variants of the Santy worm have started to appear that use Google — which is credited with moving quickly to thwart the original attack — and other search engines to spread, and then infect and deface Web bulletin boards.
The original Santy appeared just before Christmas and was meant to use Google to spread itself. The search engine blocked the worm from being able to use Google’s index of bulletin board sites to find those that were vulnerable to infection.
In the days since, variants that use Google as well as AOL’s and Yahoo’s search tools have been discovered in the wild. AOL still uses Google for search results; Yahoo has its own search engine.
Bulletin Boards Targeted
Like the original, the variants target Web bulletin boards designed with the open-source PHP scripting language. However, the Santy.C and Santy.E variants target different parts of the PHP code, using any programming flaws to gain entry rather than a single security flaw.
In addition to having their pages defaced with the worm’s own wording — “This site is defaced!!! NeverEver NoSanity” — the sites suffer server slowdown, and those servers could be vulnerable to information theft.
Most security experts are warning that those pages might have to be individually recoded in order to protect against the Santy worm.
Sophos antivirus senior technology consultant Graham Cluley said the good news about the Santy variants is that to date they do not attack individual users’ computers. However, the spreading attack also emphasizes the importance of addressing known security vulnerabilities and problems in coding. Cluley estimates that millions of Web sites use PHP software.
“There have been serious security vulnerabilities found in the PHP software in the past — and this incident underlines the importance of all people keeping up-to-date with the latest security patches and fixes,” he added.
The makers of PHP released the most recent version of the software earlier this year and issued a reminder on its Web site in early December urging users to use the latest version, which is not susceptible to the first Santy worm.
Variation on a Theme
PHP is widely used to create dynamic Web pages, such as those updated constantly with new postings from users. The software is favored because it can be embedded in HTML.
Security firms were quick to respond with tools for addressing the new Santy threat. CheckPoint security said its firewalls and other network detection tools were updated on December 21 to address the Santy threat.
In addition to being vulnerable to defacement, sites that are infected with the Santy worm might be at risk for having information stolen from the servers that run them, several security companies warned.
Santy was not the first malicious code to attempt to spread using Google. In June, MyDoom-O caused a slowdown on the Google search site after it tried to use it to spread itself.
In fact, the Santy worm and the almost instant rash of variants might be an indicator that search engines are becoming favorite targets of virus writers, according to Ken Dunham, director of malicious code intelligence at iDefense.
“Code writers have recognized the value of search engines as a hub in terms of reaching the rest of the Web,” Dunham said. “It’s something that bears watching as we head into the new year.”
Cluley said the worm’s release at the holidays was likely a planned occurrence, one meant to take advantage of lowered guard and reduced resources.
“Can it really be coincidence that a worm which attacks Web bulletin boards is released just as many companies and organizations who run such message boards are shutting down for Christmas?” Cluley asked. “It’s likely this worm will have a greater impact simply because the people who need to be at their desks to fix the problem are relaxing in front of the fire.”
Virus and worm authors have long used the holidays to launch attacks, with varying levels of success. In fact, the 2004 holiday season brought the Windows-targeted mass mailing Zafi worm as well as Santy.