Santy Worm Moves On

UPDATED: Less than a week after Google squashed the Santy.A worm,
variants of the virus are reportedly spreading through other online search
engines, including America Online and Yahoo ,
according to several security firms.

While the early version moved rapidly by exploiting flaws in the popular
phpBB discussion forum software, the latest variant is germinating through
the wild by attacking Web sites using the PHP scripting language, according to
Ken Dunham, director of malicious code at Virginia-based security firm iDefense.

“There are several different threat scenarios,” he said, adding that several
variants, including Santy.B through Santy.E, have evolved since last week.

Dunham said the virus did not appear to be too widespread and expected the
outbreak to remain relatively controlled.

However, several security firms have reported Web sites being
infected and servers being compromised or slowed due to the virus.

Santy.A was discovered by Helsinki, Finland-based F-secure last Tuesday,
menacing tens of thousands of Web sites that used the popular program to
create Internet forums. It raced through the wild, and in a few hours disabled
and defaced nearly 40,000 sites leaving the message: “This site is defaced!!!

As reported earlier on,
the worm spread
on its own and did not require user interaction. Instead, it searched for
vulnerable forum sites through Google and used a remote exploit to gain
access to them. Once it located a site, it defaced it and restarted the
random scanning process for more hosts.

But Santy.A was halted after Google began blocking infected sites,
slowing down the spread of the virus. Now the virus is using Yahoo and
AOL search engines to avoid being blocked by Google.

AOL, which uses Google’s search engine technology, is still
investigating the possibility that it may need to take additional steps to
prevent the virus from infecting Web sites through its search, according to Andrew Weinstein,
a company spokesman.

It was unclear whether the initial response by
Google was sufficient to protect AOL searches from the virus.

In a statement to, a Yahoo spokesman said: “We became aware of the Santy.B worm on December 24 and immediately took action to protect websites and our users. The worm has caused very little impact.”

The recent spike of viruses spreading through search engines, including
the MyDoom worm early this year, is a trend likely to continue as more and
more search engines find themselves in the crosshairs of virus writers, said
Dunham of iDefense.

“Search engines should plan on having programs abused in 2005,” he said.

Although Google was initially criticized for a sluggish response to the
Santy threat, Dunham says the company acted in time to stop the continued spread of the worm.

Updates prior version to include comment from Yahoo

News Around the Web