Webmasters who use phpBB, the open-source bulletin board software, are advised to upgrade their software to avoid infection.
The source code for Santy has appeared on the web and postings to popular security mailing lists linked to the code. This often means, such as in the case of MyDoom earlier in 2004, that variants created by less-skilled coders will emerge.
However, worms that successfully exploit fixable vulnerabilities, such as Santy, tend to have less-successful progeny. Infection, or media coverage of the original variant, often prompts webmasters to patch their software.
Santy searches Google for the filename viewtopic.php, a vulnerable component of phpBB, in URLs. It then attempts to exploit the vulnerability. If successful, it deletes files with extensions such as .php, .asp and .html.
Google said it took about seven hours to put the blocks in place to stop Santy spreading, telling F-Secure Corp: While a seven-hour response for something like this is not outrageous, we think we can and should do better.
We will be reviewing our procedures to improve our response time in the future to similar problems, the firm said. Using Google to find hacking targets is a widely acknowledged practice, and a worm like Santy was long anticipated.
There’s also the suggestion that Santy may have been an early example of a stealth worm, one that spreads first and makes itself known later. Hackers often ridicule virus writers for creating ungainly code that sets off warning sirens within minutes of release.
Content from our partners
Each iteration of the worm keeps track of how many machines it has infected. This generation number is displayed on the web site it defaces. According to the SANS Institute’s Internet Storm Center, Santy only defaces after the third generation.
The defacement only takes place if the generation is larger then three, indicating that the script initially spread in a more stealthy mode to infect systems silently before being discovered, SANS reported.
This generation number also shed some light on how the worm spread. Search engines, used to find the target machines, could also be used to locate infected machines. No generation over 30 could be found.
Santy gets easily corrupted, F-Secure Corp’s Mikko Hypponen said. The exploit it uses is only able to transfer around 20 bytes of data at a time. So the worm transfers itself from one web site to another in small chunks.
If a chunk gets missing, the worm might still work fine… or it might fail, Hypponen told ComputerWire. More generations there are, more likely it is to fail because of this.
