Google Nukes Santy Worm, But Threat Remains

The search engine has blocked search queries that were being used to spread the worm, but new information suggests more variants are on the way.

A decision by Google Inc. to block certain search queries has helped thwart the spread of the Santy worm, but the public release of the worms source code could lead to new attacks, security experts warned on Wednesday.

Google began filtering the worms queries late Tuesday night, effectively stopping the Santy propagation on vulnerable Web forums running the freely distributed phpBB software.

However, according to an advisory from Kaspersky Lab, the Google filtering is not enough to solve the problem. "The author can always release new versions that use other search engines—MSN or Yahoo, for instance," the anti-virus research firm said in the advisory.

The fact that the Santy source code has been published on certain sites and security-related mailing lists is also cause for concern, according to Roel Schouwenberg, senior research engineer at Kaspersky Lab.

"This opens the door for new variants to arise. However, I doubt that new variants will be very effective, unless search engines just keep on spitting out new, unpatched sites," Schouwenberg said.

Anti-virus vendor F-Secure confirmed the Google filtering was successful and said the search engine had started showing the defaced Web sites in its index.

The worm, known as Net-Worm.Perl.Santy.A, or Santy, was programmed to use Google search to randomly find sites running vulnerable version of phpBB and overwrite several different files to deface the forums.

By targeting phpBB, the defacements cause a major nightmare for some businesses that use the forum software to handle customer service queries and other support issues.

On the phpBB support forum, administrators urged users to upgrade to the newest available release of the software.

"Fixed versions of PHP do exist and as above we encourage you to ensure your system is running such a version. Equally please examine any hacking issues you have carefully to ensure they are not caused by this PHP problem (rather than phpBB). Remember, this is not a phpBB exploit or problem, its a PHP issue and thus can affect any PHP script which uses the noted functions," administrators said in a forum posting.


Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.