The worm, Santy, exploited a vulnerability in phpBB, a bulletin board plug-in for the popular PHP web site scripting environment, to deface at least tens of thousands of web sites, deleting data from servers as it went.
It is believed to be the first major automated threat to use a search engine, Google in this case, to identify potentially vulnerable targets. This tactic has been known about and used by hackers in more targeted attacks for a long time.
The worm searches Google for the term viewtopic.php, the name of the vulnerable component, in URLs, a signature of the presence of phpBB. Google returns about 7.5 million hits for the query allinurl:viewtopic.php.
Once it has found a vulnerable machine, the exploit is executed. On the target server, all files with the extensions .asp, .htm, .jsp, .php, .phtm and .shtm are overwritten with an HTML page announcing This site is defaced!!!
The defacement page also contains the text: NeverEverNoSanity WebWorm generation X, where X is the number of infections that iteration of the worm has so far caused. Google did not return any hits for a query on the defacement text.
The beta version of MSN Search, which one day hopes to rival Google’s dominant position in the search engine marketplace, returned 37,000 hits, suggesting a similar number of infections, at about midnight GMT last night.
This is definitely not as severe as what we saw with Slammer or Code Red, said Oliver Friedrichs, senior manager of Symantec Security Response. He added that there is the potential for variants. MSN could be used to find infected servers, he said.
The fact that Google was used to find potentially vulnerable targets means that there was likely little of the collateral damage, in the form of network bandwidth consumption, than previous scattershot worms have caused.
It also meant that the worm had a single point of failure. Some antivirus experts said that Google had the ability to shut down the worm’s proliferation by blocking the queries it uses to generate its list of targets.
They could stop this Santy outbreak right now simply by stopping responding to the queries the viruses uses, F-Secure’s Mikko Hypponen wrote. This wouldn’t hurt any end users and would in fact take load off from Google servers.
Google announced it had started blocking the worm about four or five hours later. It’s not clear yet if that would have had much of an effect on propagation. Network worms can reach saturation point in less than an hour.
While the worm does not put Google users at risk, we are working to help stop its propagation by blocking queries to Google that are generated by the worm, a Google spokesperson said in a statement.
Having all the iterations of the worm go through Google may prove to be the author’s undoing. Google’s logs presumably now contain data that may prove useful in tracking down the person who released the worm into the wild.
Google could easily find the IP addresses of the first batch of infected machines. While viruses are often seeded through already-compromised machines, law enforcement could conceivably use Google log data as a starting point to track down Santy’s author.
People running phpBB should upgrade their software to version 2.0.11, which fixes the problem. Knowledge of the vulnerability, unrelated to other recent PHP vulnerabilities, has been in the public domain since November 12.
