Thousands of websites are hit as web worm exploits security
vulnerability and overwrites files
Anti-virus experts at Sophos, a world leader in protecting
businesses against viruses and spam, have advised that a new
internet worm is defacing web bulletin boards across the globe.
 |
| The Santy worm has defaced many web bulletin
boards. |
The Perl/Santy-A worm (also
known as Santy) exploits a vulnerability in a piece of software
often used to provide discussion forums and bulletin boards on the
web, phpBB. The worm uses the Google search engine to try and find
vulnerable bulletin boards on the web. According to media reports,
Google has started blocking the worm's attempts to replicate.
The Santy worm, which is written in Perl, spreads to vulnerable
phpBB bulletin boards on both Windows-based and Unix-based
platforms. Once the worm has spread to three or more servers it
will attempt to overwrite all HTM*, PHP*, ASP*, SHTM*, JSP* and
PHTM* files with a web page containing the following message:
This site is defaced!!!
NeverEverNoSanity WebWorm generation #
where
# is a number which increases by one on each
iteration of the worm.
"The good news is that this worm only affects web servers, not
users who visit any of these bulletin boards," said Graham Cluley, senior
technology consultant for Sophos. "There have been serious security
vulnerabilities found in the phpBB software in the past - and this
incident underlines the importance of all people keeping up-to-date
with the latest security patches and fixes."
With the Santy worm released on 21 December, Sophos experts
believe that it is possible the worm's distribution has been
deliberately timed to coincide with the holiday season.
"Can it really be coincidence that a worm which attacks web
bulletin boards is released just as many companies and
organisations who run such messageboards are shutting down for
Christmas?" said Cluley. "Many webmasters will be going home early
for the holidays - and it's likely this worm will have a greater
impact simply because the people who need to be at their desks to
fix the problem, are relaxing in front of the fire."
Webmasters who run the phpBB software are advised to upgrade to
the most recent version of the software at the earliest possible
opportunity. Version 2.0.11 of phpBB is believed not to be
vulnerable to the worm's method of attack.
"With millions of websites around the world running the phpBB
software it is essential that the message gets out to its users
that they must take security seriously - and keep up-to-date with
information about the latest discovered exploits," continued
Cluley.
In June 2004 another worm, W32/MyDoom-O, disrupted the Google
search engine after it tried to use the popular website in an
attempt to spread further.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.