A new worm uses the search engine Google to find vulnerable systems, automatically connect to them, and deface a Web site.
Kaspersky Labs, a security software company in Moscow, said Tuesday that it has detected a new worm that uses search site Google to automatically find vulnerable systems. The worm, called Net-Worm.Perl.Santy.a, queries Google to locate Web sites running vulnerable versions of phpBB, which is software for creating Internet forums using the PHP scripting language.
A week ago, the PHP Group, an open-source development organization, issued PHP 4.3.10 and PHP 5.0.3 to close the vulnerabilities this worm exploits. A fix of phpBB, version 2.0.11, was issued in mid-November.
"This is a little hint of what's coming in 2005," cautions Timothy Keanini, chief technology officer for nCircle Network Security Inc., a network security company. "All the technology that makes us more efficient makes the bad guys more efficient, too."
Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.
A representative for Google said the company is looking into the issue but had no immediate comment. It seems to have taken some action already, though. Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.
Like other Internet users, hackers find Google a treasure trove of useful information, particularly for vulnerability reconnaissance. At one site dedicated to Google hacking, you can find what's called the Google Hacking Database. It lists specific text strings that can be fed into Google to locate sites running certain types of software and hardware. While such information has legitimate uses, it's also convenient for ferreting out vulnerable systems to target for attack. The maintainer of the site, Johnny Long, who describes himself as a "Christian hacker," is also the co-author of a newly released book called Google Hacking For Penetration Testers.
This may prove the saying that less is more, at least when it comes to including software and hardware version information on public Web sites. Mike Murray, director of vulnerability and exposure research at nCircle, says that omitting such details is a best practice, but that level of diligence isn't often seen, particularly among smaller sites.
Business users shouldn't see too much disruption from this worm. "Because of the way it spread, it's not going to affect internal corporate networks the way Slammer did," Murray says.
Updated virus definitions to block the worm are available from a number of security companies as of Tuesday afternoon, including F-Secure, Kaspersky Labs, Symantec, and TrendMicro.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.