Santy.A might sound like some kind of holiday cheer but as thousands of
Web site operators are quickly finding out, the nasty little worm is only
Helsinki, Finland-based F-secure discovered
the worm early Tuesday afternoon. Santy.A has been detected defacing
Web sites by exploiting a popular program used to create Internet forums,
several security firms reported Tuesday.
It has zipped through the wild disabling and defacing nearly 40,000 sites
within the span of several hours, according to Ken Dunham, director of
malicious code at Virginia-based security firm iDefense. At least 17 generations
of the worm have been detected.
“It shows the average consumer that the exploiting of new vulnerabilities is
moving much faster,” said Dunham. “The lifecycle for emerging threats is
continually shrinking,” he added.
Santy has been able to move rapidly by exploiting flaws in the popular
phpBB discussion forum software. Once the worm has hit the site, it leaves
behind the message: “This site is defaced!!! NeverEverNoSanity.”
The worm spreads on its own and does not require any user-interaction.
It searches for vulnerable forum sites through Google
uses a remote exploit to gain access to them. Once it locates a site, it defaces
it and restarts the random scanning process for more hosts.
Dunham said details regarding the exact vulnerabilities exploited by Santy.
A remain vague, but the worm may be exploiting a recent SQL injection
vulnerability for phpBB 2.0.10 reported on Nov. 29. But he stressed this
had not been confirmed.
“If that is the case, this worm was rapidly authored and deployed, just a few
weeks following the vulnerability announcement,” Dunham said.
Aside from defacing infected sites, there has not been any indication the
worm is carrying a payload and has not infected machines that have viewed the
sites, said Dunham.
iDefense, and several other security firms, have recommended users of phpBB
upgrade to version 2.0.11 to prevent their sites from being defaced.