New worm uses Google
2004-12-22 14:04
New York - A computer worm has attacked and vandalised tens of thousands of websites by looking up potential new victims on Google.
The "Santy" worm, which appeared on the internet on Monday, had compromised at least 38 000 computers by midday on Tuesday, according to iDefense Inc, a computer-security intelligence firm.
As Santy spreads, it leaves behind a red-lettered message on victim sites: "This site is defaced!!! NeverEverNoSanity."
The worm replaces files with its own code, a manoeuvre that can destroy data and cause other websites using the same machine to become infected.
"Santy.A isn't a present from Santa Claus, but a fast spreading worm from the Grinch," said Ken Dunham, iDefense's director of malicious code, in an e-mail.
The self-spreading malicious program attacks web servers that use flawed versions of an open-source web scripting language related to HTML called phpBB, which is commonly used for bulletin board forums.
It finds sites to attack by searching in Google's search engine for sites that use the language, according to the Sans Institute, a research organisation for network administrators. It searches for "viewtopic.php", which currently returns 4.1 million links.
Mikko Hypponen, director of anti-virus research at F-Secure Corp, wrote in the Finnish company's weblog that Google "could stop this Santy outbreak right now simply by stopping responding to the queries the viruses uses. This wouldn't hurt any end users and would in fact take load off from Google servers."
A Google spokesperson said the company is looking into the issue.