Information on the Net-worm

[aRedMoon]

Source

A Web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday.

The Santy worm uses a flaw, announced last week, in the software that interprets Web pages written in the widely used scripting language PHP: Hypertext Preprocessor (PHP). However, rather than attempt to infect all Web sites running PHP, the worm instead targets a specific application--the PHP Bulletin Board (phpBB)--and searches Google for vulnerable sites, antivirus firm Kaspersky said in a statement.

Almost 40,000 sites may have already been infected. Using Microsoft's Search engine to scan for the phrase "NeverEverNoSanity"--part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits.

"Santy.a is spreading rapidly, and has caused an epidemic," antivirus firm Kaspersky stated in a new release published Tuesday. "However, this does not directly affect users. Although the worm infects Web sites, it does not infect computers used to view those sites."

The worm sends Google a specific search request, essentially asking for a list of vulnerable sites. Armed with the list, the worm then attempts to spread to those sites using a PHP request designed to exploit the phpBB bulletin board software.

The worm is the latest twist on using Google as an attack tool, a practice known as Google hacking. It may also be the first time that a program used Google to identify victims for an attack.
Around 6 million sites appear to be running the phpBB software, according to a search of Google for the phrase "Powered by phpBB"--an acknowledgment appended to the bottom of any site that use the software.

"There are tons of these PHP bulletin board installs around," said Johannes Ullrich, chief technology officer of the Internet Storm Center, which tracks online threats.

Using Google to determine vulnerable sites is not an academic exercise. The worm does exactly that: Once Santy infects a Web site, it searches Google for other sites running phpBB and then attempts to infect those sites as well.

After it has taken over a site, the worm deletes all HTML, PHP, active server pages (ASP), Java server pages (JSP), and secure HTML pages, and replaces them with the text, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation X," according to Kaspersky. For "X," the worm inserts a number representing how far the current instance of the program is descended from the original worm release. MSN searches have found 24th generations of the worm.

Google did not immediately comment on the worm, but a spokesman did say that the company had seen the information and had started to study the issue.

The response, or lack thereof, frustrated some members of the antivirus community, who believed that the search giant could easily stop the worm by filtering out its search for victims.

"We know exactly which searches to stop," said Mikko Hypponen, research director of antivirus firm F-Secure. "It would be trivial to stop this thing."

Web sites using a vulnerable version of PHP should upgrade, the phpBB Project site advises.

Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.

 

[Kimi-Kaizer]

im scared to use google now o.o i mean i pity google now =/ why couldnt have been yahoo instead of google? google is the nest search engine ever XD but i've lost all faith in google ~_~

 

[Kipkip]

Source

Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.

phpBB is not the only one that can be infected. If the writers want to, they can write it for vB, IPB, openBB, or any other PHP forum becuase the hole is in PHP itself. That's why you need to upgrade to PHP 4.5.1 or PHP 5 I think.

 

[HellishHades]

Source

Wow... it's hard to think that Google can be used for something like that, isn't it? :/


v_V I just lost any and all faith in phpBB.

Is that the same logic that says MSIE is less secure than FireFox? If more people use certain software, then more viruses will be developed for that software, exposing the vulnerabilities in the code. If the stats were switched, so that more people used FireFox, then there would be more vulnerabilties found in FireFox's code than MSIE. Why develop a virus that will only affect a certain, small demographic? Since phpBB is more popular than other forum software -- since it's great and free -- more viruses will be developed for it than other forum software, just like MSIE.

 

[aRedMoon]

Kip-kip: Yeah, I know, it's just one of those "Ugh, because of this, I got hacked v.v"

HellishHades: I know. v_v

 

[Carlito-san]

JK,this is what hit your site.I read at the bottom.Defacement by NeverEverNoSanity.
Makes ya hate it even more.

 

[saul]

wow thats two sites hacked VV;;

 

[Cool Cr@cker]

This is Just an Inspiration for all hackers..*Shudders*
I mean If Google Can do this _---It can do 10000000x More...OMG!!!This might just be a new era in Hacking..Whoever made this Virus had this in Mind!And The next Target may just be PHP Sites--What can we do!

 

[Imakuni?]

look at the damage
https://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=NeverEverNoSanity&btnG=Google+Search
one reason why i hate phpBB

 

[saul]

Whoa O.o None;s safe anymore. -.-;;

 

[Golden Groudon]

Errr...hackers strike again? O_o
Oh well. *goes to do backup stuff*

 

[Imakuni?]

my friend uses invision, and is scared stiff >_<
i use smf. and i am safe ^_^

 

[Sawyer]

PC doesn't run on phpBB, but there's still a chance that whoever made it might make a virus for vB as well... *shrugs* there's no point in worrying. if PC does get hacked, it was meant to... just fate doing it's job again.

 

[Colette_The_Chosen]

Holy crap,holy,crap,HOLY CRAP!
I must save everything known about my forum!
*goes to forum.*
OH,C-R-A-P!
*Runs to bedroom and sobs*

 

[Sawyer]

Colette, did your forum get hacked? *laughs* XD

 

[aRedMoon]

look at the damage
https://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial_s&hl=en&q=NeverEverNoSanity&btnG=Google+Search
one reason why i hate phpBB

It can be modified to look for any forum software, it's just that phpBB, being quite popular, got struck first.

i use smf. and i am safe ^_^

No you aren't. =3~

if PC does get hacked, it was meant to... just fate doing it's job again.

All it does is destroy the php files, and I'd think that Steve has a back-up so he could just reupload 'em.

*Runs to bedroom and sobs*

I feel your pain *pats*

Colette, did your forum get hacked? *laughs* XD

Uncalled for.

 

[Frost]

Dude, I use IPB!!!
*Grabs forums and runs*

 

[Colette_The_Chosen]

Ummmmm.......Yea!
*SobSob*
I SHALL SLAY ZE VIRUS!
*Pulls out anouther forum and begins wacking the virus*

 

[aRedMoon]

Lol, if only we could really do that...

 

[Imakuni?]

It can be modified to look for any forum software, it's just that phpBB, being quite popular, got struck first.No you aren't. =3~All it does is destroy the php files, and I'd think that Steve has a back-up so he could just reupload 'em.I feel your pain *pats*Uncalled for.

im safe for now =3