A new version of Santy worm has appeared over the weekend. Dubbed as Santy.e, it poses a broader threat than its ancestors, which used Google to spot vulnerable web bulletin boards, then defaced them.
Santy.e - rather than targeting only those websites running phpBB (software for creating Internet forums using the PHP scripting language) – has the potential to exploit any site that's left allowed arbitrary file inclusion into PHP scripts.
Experts said they have already received reports of websites attacked by infected systems, and that some servers have been compromised or dramatically slowed down as their loads climbed under constant probing.
Like earlier Santy variations, Santy.e uses Google to identify exploitable web pages written in PHP which use the vulnerable functions "include()" and "require()". Santy.e, learning lesson from past wherein Google was quick in blocking the previous versions of Santy, also throws Yahoo's and AOL's search engines into a mix.
However, F-Secure - anti-virus firm – has downplayed the threat, saying these latest variants haven't got out of control. The Finnish firm credited Brazilian group suspected of being behind the attack is using a relatively small number of PCs in the bot network that's searching for vulnerable sites and then launching attacks on those it finds.
The firm said the vulnerability lies in poor programming techniques rather than a code bug, and securing sites against the Santy.e exploit may be time-consuming, and require rewriting scripts with the include() and require() functions.
It may be noted that the Santy worm and its variants affect only targeted bulletin board sites and do not pose a threat to web surfers who visit them.
