Update on Santy
Santy Worm Moves On
December 29, 2004
By Tim Gray
Less than a week after Google squashed the Santy.A worm, variants of the virus are reportedly spreading through other online search engines, including America Online and Yahoo, according to several security firms.
While the early version moved rapidly by exploiting flaws in the popular phpBB discussion forum software, the latest variant is germinating through the wild by attacking Web sites using the PHP scripting language, according to Ken Dunham, director of malicious code at Virginia-based security firm iDefense.
"There are several different threat scenarios," he said, adding that several variants, including Santy.B through Santy.E, have evolved since last week.
Dunham said the virus did not appear to be too widespread and expected the outbreak to remain relatively controlled.
However, several security firms have reported Web sites being infected and servers being compromised or slowed due to the virus.
Santy.A was discovered by Helsinki, Finland-based F-secure last Tuesday, menacing tens of thousands of Web sites that used the popular program to create Internet forums. It raced through the wild, and in a few hours disabled and defaced nearly 40,000 sites leaving the message: "This site is defaced!!! NeverEverNoSanity."
As reported earlier on internetnews.com, the worm spread on its own and did not require user interaction. Instead, it searched for vulnerable forum sites through Google and used a remote exploit to gain access to them. Once it located a site, it defaced it and restarted the random scanning process for more hosts.
But Santy.A was halted after Google began blocking infected sites, slowing down the spread of the virus. Now the virus is using Yahoo and AOL search engines to avoid being blocked by Google.
AOL, which uses Google's search engine technology, is still investigating the possibility that it may need to take additional steps to prevent the virus from infecting Web sites through its search, according to Andrew Weinstein, a company spokesman.
It was unclear whether the initial response by Google was sufficient to protect AOL searches from the virus. A Yahoo spokesperson was unavailable for comment.
The recent spike of viruses spreading through search engines, including the MyDoom worm early this year, is a trend likely to continue as more and more search engines find themselves in the crosshairs of virus writers, said Dunham of iDefense.
"Search engines should plan on having programs abused in 2005," he said.
Although Google was initially criticized for a sluggish response to the Santy threat, Dunham says the company acted in time to stop the continued spread of the worm.
Story courtesy of InternetNews.