We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Google unwittingly helping Santy worm spread

Bulletin board users may find sites defaced

A new worm that uses the Google search engine to locate victims has been unearthed. Its existence first came to light at the beginning of the week.

The worm, known as Santy.A, takes advantage of a critical software vulnerability in the free phpBB open source software widely used to create and maintain online bulletin boards. It appears the worm may use a vulnerability in the PHP scripting language that was recently patched, according to Alexey Zernov of antivirus company Kaspersky Labs.

Individual users aren’t at risk. Instead, it targets computer servers that host online bulletin boards and defaces their sites. Santy uses Google to find web addresses that use a special string, viewtopic.php, common to bulletin boards using the phpBB software.

PhpBB and other common software packages are written using PHP.

Once Santy infects servers running the phpBB software, it scans directories on the infected site and overwrites files with the extensions HTM, PHP, ASP, SHTM, JSP and PHTM with the text ‘This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation’.

The worm also launches a search on the Google search engine for URLs (uniform resource locators) that use a special string, viewtopic.php, which is common to bulletin boards written using the phpBB software, F-Secure spokesman Mikko Hypp"nen said.

The worm’s reliance on Google could be its downfall, however. If the search engine company can block the search text used by Santy.A, it would stop the worm from spreading, Hypp"nen said.

Santy.A is not believed to deposit Trojan horse programs or other malicious code on the systems it infects. However, Hypp"nen believes it could act as a road map for malicious hackers who are looking for vulnerable computers to exploit.

Both F-Secure and Kaspersky Labs have posted updated antivirus definitions that can spot the Santy.A worm and advise customers to update their antivirus software as soon as possible.

IDG UK Sites

Sky to offer mobile phone contracts with O2: Will Vodafone make a move?

IDG UK Sites

Windows 10: a guaranteed success. Probably.

IDG UK Sites

Do we need to fight the government again over design and art education?

IDG UK Sites

How to make money selling books on the iBookstore, publish your book in Apple's book store