Santy worm makes unwelcome visit

Santy worm makes unwelcome visit

Thousands of website bulletin boards have been defaced by a virus that used Google to spread across the net. The Santy worm first appeared on 20 December and within 24 hours had successfully hit more than 40,000 websites. The malicious program exploits a vulnerability in the widely used phpBB software. Santy’s spread has now been stopped after Google began blocking infected sites searching for new victims. The worm replaces chat forums with a webpage announcing that the site had been defaced by the malicious program. Soon after being infected, sites hit by the worm started randomly searching for other websites running the vulnerable phpBB software. Once Google started blocking these search queries the rate of infection tailed off sharply. A message sent to Finnish security firm F-Secure by Google’s security team said: “While a seven hour response for something like this is not outrageous, we think we can and should do better.” “We will be reviewing our procedures to improve our response time in the future to similar problems,” the Google team said. Security firms estimate that about 1m websites run their discussion groups and forums with the open source phpBB program. The worst of the attack now seems to be over as a search conducted on the morning of the 22 December produced only 1,440 hits for sites showing the text used in the defacement message. People using the sites hit by Santy will not be affected by the worm. Santy is not the first malicious program to use Google to help it spread. In July a variant of the MyDoom virus slowed down searches on Google as the program flooded the search site with queries looking for new e-mail addresses to send itself to.