Santy-A's march should slow to a crawl now that Google has deactivitated queries essential to its ability to spread. But the worm has already infected about 40,000 Web sites, security experts say.
"Google has deactivitated queries essential to Santy's propagation, which should lead to its dying off (or by this point gone-ness)," John Bambenek, a handler for the Bethesda, Md.-based SANS Internet Storm Center, said in a posting on the center's Web site Wednesday morning. But, he warned, "This is only a temporary fix, I would imagine, as I'm sure other queries can be crafted and the same exploit code used to re-launch this worm. Time will tell."
Google took action late Tuesday at the urging of antivirus firms. Earlier in the day, the worm played havoc with certain Web sites by exploiting a security hole in PHPbb, a popular program used to create Internet forums.
Russian-based Kaspersky Lab was among the first to report sightings of Santy-A, labeling it a severe risk. The firm said Santy-A had spread in "epidemic" proportions. "However, this does not directly affect end users," the firm said in a statement. "Although the worm infects Web sites, it does not infect computers used to view these sites."
Kaspersky added, "Santy-A is something of a novelty. It creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of PHPbb. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine."
Once the worm dominates a site, it scans all the directories. All files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm are overwritten with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation."
Apart from defacing infected sites with this text, Kaspersky said the worm has no payload. It will not infect machines used to view compromised sites. The firm recommends PHPbb users upgrade to version 2.0.11 to keep their sites from being defaced.
Finnish security firm F-Secure Corp. and Lynnfield, Mass.-based Sophos also confirmed sightings of Santy-A.
"It's out there. It's spreading. It seems to be pretty bad," Mikko Hypponen, F-Secure's director of AV research, said in an e-mail. "It's a Perl worm searching [for] vulnerable forum sites via Google. When hit, the site gets defaced and restarts Google scanning."
"I know that security holes have been found in PHPbb's software in the past, so it is important that people keep up to date with their security patches and latest revisions," Graham Cluley, senior technology consultant for antivirus firm Sophos, said in an e-mail.
Reston, Va.-based iDefense reiterated that advice. Ken Dunham, the company's director of malicious code, said the worm may be exploiting a recent SQL injection vulnerability for PHPbb 2.0.10 reported Nov. 29. "If that is the case, this worm was rapidly authored and deployed, just a few weeks following the vulnerability announcement," he said in a statement.