http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci10371 08,00.html
New Santy variants spread via search engines By Bill Brenner, News Writer 26 Dec 2004 | SearchSecurity.com Two new Santy variants are using the AOL, Yahoo and Google search engines to find new targets to infect, Symantec Security Response warned in two weekend advisories. The antivirus firm has raised its ThreatCon to Level 2 in response to the worms. Perl.Santy-B attempts to spread to Web servers running versions of PHPbb 2.x bulletin board software prior to version 2.0.11, which is vulnerable to the PHPbb remote URLDecode input validation vulnerability. It uses AOL or Yahoo to find potential targets. Perl.Santy-C attempts to spread the same way, but uses Google to find potential targets. The Bethesda, Md.-based SANS Internet Storm Center also issued a warning on its Web site. The message, posted Sunday, said: "We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It I,s however, quite different from the original Santy worm. It tries to pull several scripts from an affected forum (running PHPbb). The forum could have been compromised and used as a base to attack others." The original Santy worm played havoc with certain Web sites last week by exploiting the security hole in PHPbb, a popular program used to create Internet forums. Russian-based Kaspersky Lab was among the first to report sightings of Santy-A, saying it had spread in "epidemic" proportions. "However, this does not directly affect end users," the firm said in a statement. "Although the worm infects Web sites, it does not infect computers used to view these sites." Kaspersky added, "Santy-A is something of a novelty. It creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of PHPbb. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine." Once the worm dominates a site, it scans all the directories. All files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm are overwritten with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Google stopped Santy-A by deactivating queries essential to its ability to spread, but not before the worm was able to infect about 40,000 Web sites. ------------------------ Yahoo! Groups Sponsor --------------------~--> $4.98 domain names from Yahoo!. Register anything. http://us.click.yahoo.com/Q7_YsB/neXJAA/yQLSAA/TySplB/TM --------------------------------------------------------------------~-> -------------------------- Want to discuss this topic? Head on over to our discussion list, [EMAIL PROTECTED] -------------------------- Brooks Isoldi, editor [EMAIL PROTECTED] http://www.intellnet.org Post message: osint@yahoogroups.com Subscribe: [EMAIL PROTECTED] Unsubscribe: [EMAIL PROTECTED] *** FAIR USE NOTICE. This message contains copyrighted material whose use has not been specifically authorized by the copyright owner. OSINT, as a part of The Intelligence Network, is making it available without profit to OSINT YahooGroups members who have expressed a prior interest in receiving the included information in their efforts to advance the understanding of intelligence and law enforcement organizations, their activities, methods, techniques, human rights, civil liberties, social justice and other intelligence related issues, for non-profit research and educational purposes only. We believe that this constitutes a 'fair use' of the copyrighted material as provided for in section 107 of the U.S. Copyright Law. If you wish to use this copyrighted material for purposes of your own that go beyond 'fair use,' you must obtain permission from the copyright owner. For more information go to: http://www.law.cornell.edu/uscode/17/107.shtml Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/osint/ <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/