Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Google Worm Shows Bad Guys Want Efficiency, Too
TechWeb - InformationWeek ^ | December 21, 2004 | Thomas Claburn

Posted on 12/21/2004 8:04:57 PM PST by Eagle9

A new worm uses the search engine Google to find vulnerable systems, automatically connect to them, and deface a Web site.

Kaspersky Labs, a security software company in Moscow, said Tuesday that it has detected a new worm that uses search site Google to automatically find vulnerable systems. The worm, called Net-Worm.Perl.Santy.a, queries Google to locate Web sites running vulnerable versions of phpBB, which is software for creating Internet forums using the PHP scripting language.

A week ago, the PHP Group, an open-source development organization, issued PHP 4.3.10 and PHP 5.0.3 to close the vulnerabilities this worm exploits. A fix of phpBB, version 2.0.11, was issued in mid-November.

"This is a little hint of what's coming in 2005," cautions Timothy Keanini, chief technology officer for nCircle Network Security Inc., a network security company. "All the technology that makes us more efficient makes the bad guys more efficient, too."

Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced!!! This site is defaced!!! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.

A representative for Google said the company is looking into the issue but had no immediate comment. It seems to have taken some action already, though. Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.

Like other Internet users, hackers find Google a treasure trove of useful information, particularly for vulnerability reconnaissance. At one site dedicated to Google hacking, you can find what's called the Google Hacking Database. It lists specific text strings that can be fed into Google to locate sites running certain types of software and hardware. While such information has legitimate uses, it's also convenient for ferreting out vulnerable systems to target for attack. The maintainer of the site, Johnny Long, who describes himself as a "Christian hacker," is also the co-author of a newly released book called Google Hacking For Penetration Testers.

This may prove the saying that less is more, at least when it comes to including software and hardware version information on public Web sites. Mike Murray, director of vulnerability and exposure research at nCircle, says that omitting such details is a best practice, but that level of diligence isn't often seen, particularly among smaller sites.

Business users shouldn't see too much disruption from this worm. "Because of the way it spread, it's not going to affect internal corporate networks the way Slammer did," Murray says.

Updated virus definitions to block the worm are available from a number of security companies as of Tuesday afternoon, including F-Secure, Kaspersky Labs, Symantec, and TrendMicro.


TOPICS: Culture/Society; Extended News; News/Current Events; Technical
KEYWORDS: google; spyware; worm
"This is a little hint of what's coming in 2005," cautions Timothy Keanini, chief technology officer for nCircle Network Security Inc., a network security company. "All the technology that makes us more efficient makes the bad guys more efficient, too."

Updated virus definitions to block the worm are available from a number of security companies as of Tuesday afternoon, including F-Secure, Kaspersky Labs, Symantec, and TrendMicro.

1 posted on 12/21/2004 8:04:57 PM PST by Eagle9
[ Post Reply | Private Reply | View Replies]

To: Eagle9

I just checked and Google returned 1520 hits about that. (confused)


2 posted on 12/21/2004 8:09:40 PM PST by JoJo Gunn (More than two lawyers in any Country constitutes a terrorist organization. ©)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9

I added Google as my IE search engine. The bad guys will exploit anything. Doesn't mean we should stop googling now.


3 posted on 12/21/2004 8:10:09 PM PST by goldstategop (In Memory Of A Dearly Beloved Friend Who Lives On In My Heart Forever)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Eagle9

So this is what happened to Men's News Daily....


4 posted on 12/21/2004 8:11:02 PM PST by Knitting A Conundrum (Act Justly, Love Mercy, and Walk Humbly With God Micah 6:8)
[ Post Reply | Private Reply | To 1 | View Replies]

To: JoJo Gunn

A FReeper posted a thread today (or yesterday) asking for help with his web site, it had picked up a worm. I can't recall the thread's title or the name of the worm he had isolated.


5 posted on 12/21/2004 8:14:43 PM PST by Eagle9
[ Post Reply | Private Reply | To 2 | View Replies]

To: goldstategop
I've had a Google Toolbar on IE since it first became available. Now with Firefox, I have quite a list of options on the pull-down menu of Google. I almost always use Google because it seems to get the most accurate results.
6 posted on 12/21/2004 8:27:05 PM PST by Eagle9
[ Post Reply | Private Reply | To 3 | View Replies]

To: Eagle9; Knitting A Conundrum

I didn't see the thread.

Mens News Daily is on that Google search I hit a little bit ago. But it seems they were also hit by some other group?

http://www.freerepublic.com/focus/f-news/1303714/posts


7 posted on 12/21/2004 9:00:02 PM PST by JoJo Gunn (More than two lawyers in any Country constitutes a terrorist organization. ©)
[ Post Reply | Private Reply | To 5 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson