Holiday Worm Putting Grinch in Season

By Tim Gray

(Back to article)

Santy.A might sound like some kind of holiday cheer but as thousands of Web site operators are quickly finding out, the nasty little worm is only spreading fear.

Helsinki, Finland-based F-secure discovered the worm early Tuesday afternoon. Santy.A has been detected defacing Web sites by exploiting a popular program used to create Internet forums, several security firms reported Tuesday.

It has zipped through the wild disabling and defacing nearly 40,000 sites within the span of several hours, according to Ken Dunham, director of malicious code at Virginia-based security firm iDefense. At least 17 generations of the worm have been detected.

"It shows the average consumer that the exploiting of new vulnerabilities is moving much faster," said Dunham. "The lifecycle for emerging threats is continually shrinking," he added.

Santy has been able to move rapidly by exploiting flaws in the popular phpBB discussion forum software. Once the worm has hit the site, it leaves behind the message: "This site is defaced!!! NeverEverNoSanity."

The worm spreads on its own and does not require any user-interaction. It searches for vulnerable forum sites through Google and uses a remote exploit to gain access to them. Once it locates a site, it defaces it and restarts the random scanning process for more hosts.

Dunham said details regarding the exact vulnerabilities exploited by Santy. A remain vague, but the worm may be exploiting a recent SQL injection vulnerability for phpBB 2.0.10 reported on Nov. 29. But he stressed this had not been confirmed.

"If that is the case, this worm was rapidly authored and deployed, just a few weeks following the vulnerability announcement," Dunham said.

Aside from defacing infected sites, there has not been any indication the worm is carrying a payload and has not infected machines that have viewed the sites, said Dunham.

iDefense, and several other security firms, have recommended users of phpBB upgrade to version 2.0.11 to prevent their sites from being defaced.