06:54 PM

New Santy Variants Spread Beyond Google

The Santy worm, which uses search engines to spread, appears to be morphing into other dangerous variants, virus experts said Tuesday.

The Santy worm, which appeared just before the Christmas holiday and uses search engines to spread, appears to be morphing into dangerous variants, virus experts warned Tuesday.

Much like the original, the Santy variations target Web bulletin boards designed with the open-source PHP scripting language. But a few of the mutated forms, such as Santy.E and Santy.C (also known as PhpInclude.Worm) focus on different parts of the PHP code by using multiple programming flaws to gain entry.

While incidents of the Santy worm have decreased dramatically since Google started blocking it, the new versions now use search engines such as AOL and Yahoo! to enable remote attackers to inject malicious code into PHP scripts.

Many of the victimized sites have their pages marred with the wording, "This site is defaced!!! NeverEver NoSanity." They then suffer server slowdown.

"Hackers have known that search engines are a good tool to find vulnerable sites, and they're doing just that," said David Burton, director of product marketing at Check Point Software Technologies. "The worst is probably behind us, but you can bet that we'll start to see more of these exploits targeting publicly available sites."

On Dec. 21, four days before the initial Santy worm was unleashed, the Redwood City, Calif.-based vendor announced an upgrade to its flagship VPN-1 appliance that provides preemptive protection against PHP worms.

The protection handles all forms of the Santy worm, including Santy.C.

Graham Cluley, senior technology consultant with U.K.-based anti-virus specialist Sophos, said the good news about Santy and its variations is that -- so far at least -- they do not attack individuals' computers. Even so, the spreading attack highlights the importance of addressing known security vulnerabilities and problems in coding, particularly within PHP.

"There have been serious security vulnerabilities found in the PHP software in the past," he said in a statement issued Monday. "This incident underlines the importance of all people keeping up-to-date with the latest security patches and fixes."

Santy was not the first malicious code to attempt to spread using search engines. In June, MyDoom-O caused a slowdown on Google after the virus tried to spread itself via the search site.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.