p2pnet - rss feed: New Santy worms show up
p2pnet.net News:- Google moved fast in a bid to stop the Santy worm in its tracks, but not fast enough, it would seem.
Security firms warn that variants have begun to spread using both Google and other search engines, says CNET News.
Santy made itself evident when phpBB-powered bulletin board sites had their pages erased and replaced with:
This site is defaced!!!
NeverEverNoSanity WebWorm generation X
It used Google to find its victims.
Now, “After Google took measures to prevent the worm from executing Google searches for the faulty bulletin board software, Santy variants are making the rounds using AOL and Yahoo search, according to security firms, and are still targeting Google as well,” says CNET.
Santy.c targets Google once again, it says, saying Kaspersky Labs has renamed Santy.d and Santy.e Spyki.a and b., “citing significant differences in the worms’ structure from earlier Santies.
“The security firm also said the new worms were using the Brazilian Google for their exploits.”
Santy.e doesn’t only target phpBB but it also attacks other PHP scripts that are vulnerable to the file inclusion exploit, says DarkVision Hardware in The Netherlands, adding:
“Like earlier Santy variations, Santy.e uses Google to identify exploitable Web pages written in PHP which use the vulnerable functions “include()” and “require().” Santy.e, however, also throws Yahoo’s and AOL’s search engines into the mix, learning a lesson from the originals, which were stymied when Google blocked their searches.”
===================
See:-
moved fast - Santy worm stopped - for now, p2pnet, December 21, 2004
spread - Google worm targets AOL, Yahoo, CNET News, December 27, 2004
other PHP scripts - Santy.e targets all vulnerable PHP scripts - not solely phpBB, DarkVision Hardware, December 27, 2004
