The Hindu Business Line : Google blocks Web worm Santy.A

GOOGLE Inc has announced that it has blocked Santy.A, the Web worm which had identified potential victims through its search and had spread among online bulletin boards using vulnerability in phpBB, an open-source software product managed by the phpBB Group.

The Santy worm is the first to use a popular search engine to propagate itself.

The worm apparently worked by sending Google a specific search request, asking for a list of vulnerable sites. On obtaining a list, the worm spread to the sites in it by using a PHP request designed to exploit the vulnerability of the phpBB bulletin board software. On infecting a Web site, Santy searched Google for other sites running phpBB. and tried to infect those sites too. After Santy took over a site, it deleted all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaced them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X."

For X, the worm inserted a number representing its `generation' - that is, how far it had descended from the original worm release. According to one report, MSN searches had suggested the existence of 24 generations of the worm.

Further, a phpBB component called viewtopic.php allowed malicious commands to be passed to and executed on servers running a vulnerable version of the phpBB software.

The worm infected Web sites - but did not infect computers used to view those sites.

According to antivirus companies, Google has been successful in blocking the worm as Santy.A does not have any native ability to scan for vulnerable computers.

They further point out that the worm is yet another instance of the practice known as Google hacking which uses the search major's service as an attack tool.

As it happens, the numero uno of search is also one of the most popular search engines among hackers who often use it to find vulnerable targets for an attack. For instance, attackers, by searching for default server page titles, are able to find servers which can be exploited easily. Applications left in default modes can also be found by searching for error pages generated by the software. Searches on Google for specific file names can also identify vulnerable servers hooked up to the Internet.

Ironically, it is the very features that have made Google the most popular search engine in the world that makes hackers use it. Most other search engines do not have the advanced search option available on Google and do not cache old versions of Web sites.

Security experts point to the spread of Santy to underline the need to keep on top of software patches and "harden" the configuration of public-facing servers.