View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
December 22, 2004

Santy peters out, but variants likely

The Santy worm stopped spreading after Google Inc disabled web searches that looked like they had been generated by the malicious program, which was responsible for defacing tens of thousands of PHP message boards. But Santy's source code has been published, making it more likely that a variant could appear over the coming days and weeks.

By CBR Staff Writer

Webmasters who use phpBB, the open-source bulletin board software, are advised to upgrade their software to avoid infection.

The source code for Santy has appeared on the web and postings to popular security mailing lists linked to the code. This often means, such as in the case of MyDoom earlier in 2004, that variants created by less-skilled coders will emerge.

However, worms that successfully exploit fixable vulnerabilities, such as Santy, tend to have less-successful progeny. Infection, or media coverage of the original variant, often prompts webmasters to patch their software.

Santy searches Google for the filename viewtopic.php, a vulnerable component of phpBB, in URLs. It then attempts to exploit the vulnerability. If successful, it deletes files with extensions such as .php, .asp and .html.

Google said it took about seven hours to put the blocks in place to stop Santy spreading, telling F-Secure Corp: While a seven-hour response for something like this is not outrageous, we think we can and should do better.

We will be reviewing our procedures to improve our response time in the future to similar problems, the firm said. Using Google to find hacking targets is a widely acknowledged practice, and a worm like Santy was long anticipated.

There’s also the suggestion that Santy may have been an early example of a stealth worm, one that spreads first and makes itself known later. Hackers often ridicule virus writers for creating ungainly code that sets off warning sirens within minutes of release.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Each iteration of the worm keeps track of how many machines it has infected. This generation number is displayed on the web site it defaces. According to the SANS Institute’s Internet Storm Center, Santy only defaces after the third generation.

The defacement only takes place if the generation is larger then three, indicating that the script initially spread in a more stealthy mode to infect systems silently before being discovered, SANS reported.

This generation number also shed some light on how the worm spread. Search engines, used to find the target machines, could also be used to locate infected machines. No generation over 30 could be found.

Santy gets easily corrupted, F-Secure Corp’s Mikko Hypponen said. The exploit it uses is only able to transfer around 20 bytes of data at a time. So the worm transfers itself from one web site to another in small chunks.

If a chunk gets missing, the worm might still work fine… or it might fail, Hypponen told ComputerWire. More generations there are, more likely it is to fail because of this.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.