Holiday Worm Putting Grinch in Season
Share this Article
Digg
Del.icio.us
Newsvine
MySpace
Reddit
Slashdot
Technorati
Windows Live
YahooBuzz
FriendFeed
Santy.A might sound like some kind of holiday cheer but as thousands of Web site operators are quickly finding out, the nasty little worm is only spreading fear.
Helsinki, Finland-based F-secure discovered the worm early Tuesday afternoon. Santy.A has been detected defacing Web sites by exploiting a popular program used to create Internet forums, several security firms reported Tuesday.
It has zipped through the wild disabling and defacing nearly 40,000 sites within the span of several hours, according to Ken Dunham, director of malicious code at Virginia-based security firm iDefense. At least 17 generations of the worm have been detected.
"It shows the average consumer that the exploiting of new vulnerabilities is moving much faster," said Dunham. "The lifecycle for emerging threats is continually shrinking," he added.
Santy has been able to move rapidly by exploiting flaws in the popular phpBB discussion forum software. Once the worm has hit the site, it leaves behind the message: "This site is defaced!!! NeverEverNoSanity."
The worm spreads on its own and does not require any user-interaction.
It searches for vulnerable forum sites through Google Dunham said details regarding the exact vulnerabilities exploited by Santy.
A remain vague, but the worm may be exploiting a recent SQL injection
vulnerability for phpBB 2.0.10 reported on Nov. 29. But he stressed this
had not been confirmed.
"If that is the case, this worm was rapidly authored and deployed, just a few
weeks following the vulnerability announcement," Dunham said.
Aside from defacing infected sites, there has not been any indication the
worm is carrying a payload and has not infected machines that have viewed the
sites, said Dunham.
iDefense, and several other security firms, have recommended users of phpBB
upgrade to version 2.0.11 to prevent their sites from being defaced.
and
uses a remote exploit to gain access to them. Once it locates a site, it defaces
it and restarts the random scanning process for more hosts.