# Net worm using Google to spread



## mimo2005

*Net worm using Google to spread*


December 21, 2004, 11:01 AM PST
By Robert Lemos 



A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. 

The Santy worm uses a flaw in the widely used community forum software known as the PHP Bulletin Board (phpBB) to spread, according to updated analyses. The worm searches Google for sites using a vulnerable version of the software, antivirus firm Kaspersky said in a statement. 

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits. 


"Santy.a is spreading rapidly," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites." 

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software. 

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time a program used Google to identify victims for an attack. 

Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that uses the software. 

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats. Initial analyses by the ISC had concluded that the flaw exploited by the worm occured in the software that interprets Web pages written scripting language PHP: Hypertext Preprocessor (PHP). That flaw was found last week. 

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well. 

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm. 

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue. 

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims. 

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing." 

Web sites using a vulnerable version of phpBB should upgrade, the phpBB Project site advises.

*Google's search for security*

* December 22, 2004*, 4:00 AM PST
By Robert Lemos 



When the Santy.A worm started spreading on Tuesday, Mikko Hypponen knew he had a way to stop the worm in its tracks. The only problem: He had trouble finding the right people to talk to at Google. 

The Santy worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure. 

"It is frustrating from our point of view when we know that one little change could stop this worm, right now," he said Tuesday morning. "Someone over there needs to wake up, get some coffee and shut this thing down." 
By the time Google put defenses in place, as many as 40,000 sites had been defaced by the worm, according to search statistics from Microsoft's search engine, a competitor to Google's service. By late Tuesday, Google had set up filters to weed out the worm's queries and prevent its spread. The company did not address why it took as long as it did to respond to antivirus makers' requests.

The worm attack spotlights the dark side of Google's success: The search giant has become a target, and tool, for hackers. With the release of its desktop search software and its e-mail service, Gmail, the company has an increasing number of applications and services that have to be checked for security. Google has quickly found that the seeming legions of security hobbyists and professionals are perfectly willing to find and publicize flaws, whether the company approves or not.

"More people are looking at us from a security analysis standpoint, because there are more applications out from Google, and we are also higher profile," said Marissa Mayer, director of consumer Web products for the company. 

From malicious hackers using Google to hunt for sensitive information, to the increasing scrutiny of the security of Google's services and software, the search giant's popularity has a significant downside. 

"Market leadership is a double-edged sword in that you have a special responsibility to be accountable," said Debbie Fry Wilson, director of product management for the security response center at Microsoft, a rival of Google in search and some Internet services. "At the same time, you have become an attractive target." 

It's a situation with which Microsoft has experience. The software giant has had numerous flaws pointed out by security professionals, sometimes without giving the company a chance to design a fix for the problem. In addition, Microsoft's Web sites and e-mail service on the Microsoft Network, or MSN, have repeatedly come under attack.


"It is hard to say what motivates malicious attackers," Wilson said. "From Microsoft's perspective, since we have such market penetration, that's why we have become a target." 

Security researchers have found several flaws in the last few months in Google's popular, albeit still in test mode, products. This week, university researchers publicized a flaw they found in the company's desktop search product, which could have opened users to attack from the Internet. Another security researcher found a flaw in Google's Groups service. The company fixed that flaw this weekend, the researcher said in an e-mail to CNET News.com. 

While the company has become a target for flaw finders, it has also become a valuable tool for attackers. The reliance on Google's ability to find information about Web sites has security experts and attackers alike using the company's database to find sites with the latest flaws. Known as Google hacking, the activity mines Google's search for specific signs of flaws or sensitive information. 

"The spidering that Google does prior to searching is a great resource for reconnaissance information," said Timothy Keanini, chief technology officer for security appliance maker NCircle. 

Yet the search engine is not just being used by attackers. Malicious programmers are now coding their tools to automatically use the search engine as well. 

The Santy.A worm, which started spreading Tuesday, searched through the Google database for signs of Web sites that were vulnerable to a specific flaw in phpBB. A variant of the MyDoom virus attempted to use Google and other search engines to find additional e-mail addresses to which it could send copies of the virus. 

These threats have evolved slowly enough that Google should have been ready, said NCircle's Keanini. 

"The ironic thing is that, with the threat being very well known and with some Google employees being the smartest people in security, they aren't being very responsive to threats that they should have known about," he said.

The latest attack threw a curve ball at the search giant. While the company had learned to fend off the large influx of data that results from a denial-of-service, or DoS, attack, having its search engine become a core component of a worm is relatively new. Antivirus researchers, however, warned about viruses using the company's search features just the week before. 

"I think their security response team is geared toward protecting Google," said F-Secure's Hypponen of Google's response to the Santy 

worm. "This worm is not attacking Google, but using Google to attack others. They weren't ready for that." 

Google says it knows that security needs to be a primary focus for the company. 

Mayer stressed that Google has rigorously tested its products internally and conducts extensive beta tests. In fact, many of the products in which vulnerabilities are found are beta versions the company is publicly testing. The desktop search application in which university researchers found a flaw was in beta. Moreover, Google reacted quickly to that report, Mayer said. Still, she stressed that the battle is far from over.

"Security is something that we have to have even more renewed focus on," Mayer said. 

The company has put some thought into its product security. When a flaw was found in its desktop search software, Google had the tools to automatically update all its users. That's a lesson that took a few years for Microsoft--and Windows users--to learn. Where Windows Update used to always ask before installing any new updates, with the latest security update to Windows XP, known as Service Pack 2, the default setting calls for automatic installation. 

"Market leaders have to realize that customers have to be protected against potential risks...without making it an onerous process for them," said Microsoft's Wilson. "The ideal scenario is that those kinds of attacks would not be able to penetrate, or you closed down the vectors." 

Like Microsoft, Google has made a broad push to hire security people. Nearly a dozen job listings for software security engineers and operations security are posted on the company's site. 

Those security professionals will have their work cut out for them, because some of Google's security risks are hardly any different from their security products, said Mike Murray, director of vulnerability research for NCircle. 

"There is a tough balance between providing information to customers and providing information that can be harmful in the hands of an attacker," he said. "Many times, the product they provide is no different from the vulnerability itself."

In the latest incident, a proactive security expert could search for Web servers running a vulnerable version of phpBB to warn the Webmaster of the issue. To Google, however, such a search would look no different than an attack. 

"You are at a point where intention of the user becomes the actual qualifier," Murray said. "Google doesn't know who is sitting on the other side of the request." 

Even for Google, divining intent may be too tall an order. Yet the company is all about finding the right information, so it's unlikely to give up easily.

"Google's mission is to organize the world's information," Mayer said. "To make information accessible and usable, it's implicit that you have to do it in a secure way. That makes security a precursor to our mission."


----------



## Vespian

Updates: http://www.cooltechzone.com/index.php?option=content&task=view&id=879&Itemid=0

Here, look at what sites Google has found that have been affected by some imbecile's brainchild:

http://www.google.ca/search?sourcei...site+is+defaced!!!+NeverEverNoSanity+WebWorm.


----------

