Google Worm Shows Bad Guys Want Efficiency, Too
A new worm uses the search engine Google to find vulnerable systems, automatically connect to them, and deface a Web site.
Kaspersky Labs, a security software company in Moscow, said Tuesday that it has detected a new worm that uses search site Google to automatically find vulnerable systems. The worm, called Net-Worm.Perl.Santy.a, queries Google to locate Web sites running vulnerable versions of phpBB, which is software for creating Internet forums using the PHP scripting language.
A week ago, the PHP Group, an open-source development organization, issued PHP 4.3.10 and PHP 5.0.3 to close the vulnerabilities this worm exploits. A fix of phpBB, version 2.0.11, was issued in mid-November.
"This is a little hint of what's coming in 2005," cautions Timothy Keanini, chief technology officer for nCircle Network Security Inc., a network security company. "All the technology that makes us more efficient makes the bad guys more efficient, too."
Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.
A representative for Google said the company is looking into the issue but had no immediate comment. It seems to have taken some action already, though. Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.
Like other Internet users, hackers find Google a treasure trove of useful information, particularly for vulnerability reconnaissance. At one site dedicated to Google hacking, you can find what's called the Google Hacking Database. It lists specific text strings that can be fed into Google to locate sites running certain types of software and hardware. While such information has legitimate uses, it's also convenient for ferreting out vulnerable systems to target for attack. The maintainer of the site, Johnny Long, who describes himself as a "Christian hacker," is also the co-author of a newly released book called Google Hacking For Penetration Testers.
This may prove the saying that less is more, at least when it comes to including software and hardware version information on public Web sites. Mike Murray, director of vulnerability and exposure research at nCircle, says that omitting such details is a best practice, but that level of diligence isn't often seen, particularly among smaller sites.
Business users shouldn't see too much disruption from this worm. "Because of the way it spread, it's not going to affect internal corporate networks the way Slammer did," Murray says.
Updated virus definitions to block the worm are available from a number of security companies as of Tuesday afternoon, including F-Secure, Kaspersky Labs, Symantec, and TrendMicro.
About the Author
You May Also Like