Web company Google is blocking efforts by the Santy worm to use its search engine as a means of identifying vulnerable computers to exploit.
As PC Advisor reported earlier this week, Santy targets computers that host online bulletin boards and use the popular open source phpBB software. The otherwise non-malicious worm makes its presence felt by defacing infected sites with the words ‘This site is defaced! NeverEverNoSanity WebWorm’.
Santy used Google to locate computers it could infect by searching for the term ‘viewtopic.php’. Google is now blocking the worm’s ability to garner results in this manner.
Estimates of the impact of the Santy worm vary widely. Searches on a beta version of Microsoft’s MSN Search feature for the text used to deface sites returned over 30,000 hits. However, identical searches on other engines, including the official MSN Search engine, Yahoo and Google search engines returned far fewer hits, ranging from 785 (MSN) to 2,030 (Yahoo).
However, using searches for telltale signs of infection, such as defacement text, is an inexact way to determine the actual number of Santy infections, says Johannes Ullrich of the Sans Institute’s Internet Storm Center.
“Santy will only deface sites if it can overwrite files and it may not always be able to do that based on the configuration of the web server [running phpBB],” he said.
The Santy worm is the first to use a popular search engine as part of its spreading mechanism.