'Santy' Worm: Be Careful

[EDGE]

New computer worm attacks bulletin boards
'Santy' spread quickly, but targets are limited
By Bob Sullivan
Technology correspondent
MSNBC
Updated: 3:19 p.m. ET Dec. 21, 2004

A new computer worm that attacks bulletin board services spread silently and quickly around the Internet Tuesday, infecting at least 38,000 systems within a few hours, experts said. The worm does not attack home computers, but consumers might encounter its effects. Bulletin boards that are infected will show a simple text message: "This site is defaced!!! This site is defaced!!! NeverEverNoSanity."

advertisement
The worm only attacks widely used message board software called PHP Bulletin Board. Other than displaying the text message, it does nothing malicious to infected computers, according to antivirus firm Kaspersky Labs. Because it spread rather quickly Tuesday morning, F-Secure Corp. issued an alert about Santy.

"This is spreading very rapidly," said Ken Dunham, director of malicious code research at iDefense Inc.

As a network-based worm, the malicious program is capable of making the rounds quickly without any user interaction, such as clicking on an e-mail attachment. In that way, Santy is similar to the Code Red or Nimda attacks, but the list of potentially vulnerable computers is far more limited that those attacks, said virus researcher Oliver Friedrichs of Symantec Corp.

Santy searches for its digital victims using the Google search engine, Dunham said. The malicious program searches for a particular string of text to find computers running the vulnerable bulletin board software, then attacks them.

"It only takes so long to Google and deface," he said.

Friedrichs said attacks that take advantage of the powerful Google search engine are becoming more common. Earlier this year, the MyDoom computer virus temporarily disabled Google by harvesting e-mail addresses through the service.

"It's not the first time we've seen a threat leveraging Google," he said. "It's extremely attractive to worm (author) who relies on gathering information like e-mail addresses. ... this is a trend we expect to continue."

Another intriguing Santy trick: The worm brags about infecting "generations" of computers. Worms spread exponentially. The first infected computer may attack a dozen or more machines, each of which in turn attacks another dozen, and so on. Even after just four or five levels -- like generations in a family tree -- the attack is widespread.

Santy keeps track of its family tree, announcing which generation has arrived on an infected computer. Searches for infected machines at 3 p.m. ET Tuesday showed the worm had already reached generation 24.

"It does appear to be continuing to spread," Dunham said.
© 2004 MSNBC Interactive

[Lakie]

probably the BB designers looking for publicity...

Not that it affects this virus but:
If everyone registered 10 or so email addresses at free or ISPs and just never touched them but spread them, surely the amount of spam and viruses would go down. Spammers wont get as many sales fo the amount of emails sent and hence email lists will become worthless and if i virus designer knows that chances are that only 1 in 10 that they send it to is a legitimate account, and the infection rate on top of that. Im sure it would cut down on spam and viruses

[atholon]

Supposedly it was due to google finding security risks. They supposedly have stopped it temporarily untill all phpbb users or a lot of them can get the fix.