Two new Santy variants are using the AOL, Yahoo and Google search engines to find new targets to infect, Symantec Security Response warned in two weekend advisories. The antivirus firm has raised its ThreatCon to Level 2 in response to the worms.
Perl.Santy-B attempts to spread to Web servers running versions of PHPbb 2.x bulletin board software prior to version 2.0.11, which is vulnerable to the PHPbb remote URLDecode input validation vulnerability. It uses AOL or Yahoo to find potential targets. Perl.Santy-C attempts to spread the same way, but uses Google to find potential targets.
The Bethesda, Md.-based SANS Internet Storm Center also issued a warning on its Web site. The message, posted Sunday, said: "We are putting this up early because we have been receiving several reports on a possible Santy variant worm. It I,s however, quite different from the original Santy worm. It tries to pull several scripts from an affected forum (running PHPbb). The forum could have been compromised and used as a base to attack others."
The original Santy worm played havoc with certain Web sites last week by exploiting the security hole in PHPbb, a popular program used to create Internet forums. Russian-based Kaspersky Lab was among the first to report sightings of Santy-A, saying it had spread in "epidemic" proportions. "However, this does not directly affect end users," the firm said in a statement. "Although the worm infects Web sites, it does not infect computers used to view these sites."
Kaspersky added, "Santy-A is something of a novelty. It creates a specially formulated Google search request, which results in a list of sites running vulnerable versions of PHPbb. It then sends a request containing a procedure which will trigger the vulnerability to these sites. Once the attacked server processes the request, the worm will penetrate the site, gaining control over the resource. It then repeats this routine." Once the worm dominates a site, it scans all the directories. All files with the extensions .htm, .php, .asp, .shtm, .jsp and .phtm are overwritten with the text "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation."
Google stopped Santy-A by deactivating queries essential to its ability to spread, but not before the worm was able to infect about 40,000 Web sites.