PHPBB worms multiply

December 28, 2004

Categories: Security

Variants of the Santy worm, which as reported in Santy: Automated attack on phpbb forums, have begun to surface, continuing a worrying trend of worms that automatically query search engines for suitable targets.

Although the original Santy Worm was an application written in PHP, a major new variant written in Perl has emerged. Security firms are showing marked differences with classifying the resulting variants, with Symantec now designating the line with the suffix Perl.phpinclude, while Kaspersky renamed Santy.d and Santy.e as Spyki.a and b., citing significant differences in the worms’ structure from earlier Santies.

According to Google worm targets AOL, Yahoo

“Perl.Santy.B is a worm written in Perl script that attempts to spread to Web servers running versions of the phpBB 2.x bulletin board software prior to 2.0.11,” warned Symantec in a Dec. 26 bulletin. “It uses AOL or Yahoo search to find potential new infection targets.”

AOL, which uses Google for its underlying search technology, said it was looking into the problem and was uncertain whether Google blocks already in place would prevent misuse of AOL’s search site. Yahoo, which dumped Google’s search technology in February, could not be reached immediately for comment.

Several other variants are cropping up. Santy.c targets Google once again.

The Brazilian Google has also apparently been specifically targeted for the worms for seeking out targets.

Harry Fuecks at Sitepoint has also written an informative article on the issue of how the variants actually operate, and clearing up a few apparent misconceptions that exploits in PHP itself were being used to drive them: PHP Worms: Santy / Perl.PhpInclude - ModSecurity.

Link: PHPBB worms multiply