|Place of Origin||South America?|
|Source Language||Perl script|
|File type||Perl script|
Santy is a worm that attacks servers running a vulnerable version of the phpBB, a free software package for creating internet forums, to spread. It defaces websites, but does not spread to the systems of end users, even if they visit the website of an infected server. It is the first of any malware to use Google to find hosts.
Santy uses Google to do a search for "viewtopic.php". If it finds a website that it can exploit, it sends itself to the new target in 20-byte chunks. If any of the chunks are lost while infecting the new system, the worm may not function correctly. The worm is copied to the file name m1ho2of on the target system. Once copied, it uses the same exploit again to execute on the newly infected machine.
The worm keeps a generation counter for every new infection. If this counter is higher than 3, it will search for files with extensions .htm, .php, .asp, .shtm, .jsp and .phtm to replace them with its own page. This new page will contain the text: "This site is defaced!!! NeverEverNoSanity WebWorm generation [generation number]".
There are four versions of Santy. Most are functionally similar to the original. Santy.B uses Google Brazil, Yahoo! and AOL search engines to spread and installs an IRC bot on infected systems. One variant, its likely origin traced to Argentina, which deletes a previous version of the worm from infected systems and secures them. It defaces the webpages with the text, "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11.". Mikko Hyppo:nen of F-Secure refused to refer to it as a "beneficial worm", citing the amount of network resources it used on machines it was disinfecting.
Thousands of websites were defaced by the worm. The number of defaced sites may have gone as high as 40,000, as doing a Google search on the phrase "NeverEverNoSanity" on the day of the attack turned up 39,000 hits on Google. The number of potential victims at the time was probably around 6 million.
While the place of origin of the original variant has yet to be determined, South America seems to be the most likely place, given some details about the variants.
The exploit the worm uses was known of since November 12 of the year the worm was relesased. They reported the bug to phpBB, but did not get the response they wanted, so they posted it to bugtraq, making knowledge of how to exploit the vuilnerability publicly available. This lead to some sites being cracked, and eventually to the worm.
Santy is named for a word from the text in its payload, minus the "i" in Sanity. As is often the case, the antivirus researchers probably gave it this name to annoy the creator, as they did with Bizatch. The word "Santy" appears in a major turd of a Chrismas-themed song, probably the only one more annoying than "Jingle Bells" in a movie so bad, having anything of yours named after it would drive someone insane. On a more positive note however, Santy is a form of an Italian family name, which a marine drill instructor in World War II ordered shortened from Santanastassia.
F-Secure Antivirus, Net-Worm:W32/Santy.A.
John Leyden. The Register, Santy worm defaces thousands of sites. 2004.12.21
Robert Lemos. CNet News, Net worm using Google to spread. 2004.12.21
Ingrid Marson. ZDNet UK, Anti-Santy worm spreads. 2004.12.31
Check Point Software Technologies, Santy.A & Santy.B Worms Protection. 2004.12.22
psoTFX. phpBB, howdark.com exploits - follow up. 2004.11.18
Dr. Sanity, The Santy Name. 2004.12.28