Welcome to WebmasterWorld Guest from

Forum Moderators: open

Message Too Old, No Replies

Google Security Under Fire

Google Fixes Desktop Hole Fixed, but worm continues to spread using Google

12:32 pm on Dec 22, 2004 (gmt 0)

New User

10+ Year Member

joined:Oct 4, 2004
votes: 0


In an alert posted on the Gartner Web site, analysts Whit Andrews and Ray Wagner said that even though Google quickly fixed the bug by rolling out an auto update, "Gartner still advises caution in enterprise deployment of this tool."


The Santy.a worm used the search engine to select potential victims. Armed with the list, the worm sent code designed to compromise the potentially vulnerable sites. Because its search engine was a linchpin for the attack, if Google had been ready for the eventuality, the company could have stopped the worm cold, said Hypponen, the research director for antivirus company F-Secure.
1:46 pm on Dec 22, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 22, 2003
votes: 0

Santy.a asks Google to return a list of sites using older versions of the phpBB software. It then connects to those sites and exploits a vulnerability to access the server running the bulletin-board software. The worm then overwrites .htm, .php, .asp, .shtm, .jsp, and .phtm files with text that reads, "This site is defaced! This site is defaced! NeverEverNoSanity WebWorm generation." Keanini notes that hackers have been gathering this sort of intelligence by doing manual searches for some time now. This worm, he says, may be one of the first that automates this process.

Earlier Tuesday, searching for "NeverEverNoSanity" returned some 38,000 results--most of them presumably pages defaced by the worm. As of 1 p.m. PST, that text string returned zero results.


It's back, showing about 1520 results today.

2:19 pm on Dec 22, 2004 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator ianturner is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 19, 2001
votes: 10

And it could just have easily been Yahoo, MSN, Ask Jeeves or any minor search engine that was used for automated queries.

Once you can do one you can do them all.

I'm just amazed it has taken them this long to do the automated queries.

4:23 pm on Dec 22, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Mar 4, 2004
votes: 0

There was a virus earlier this year that used Google queries as part of a DDOS attack against Microsoft (can't remember the name of it).

If you go to F-Secure's weblog, it looks as if it took G 7 hours from when they were first notified of the problem, to when they started blocking the query using the query string and the useragent profile.

7 hours.

When was the last time any other outfit had that kind of response time? Overall, I'm marking how G handled it as a win for them, in terms of security response time.

4:27 pm on Dec 22, 2004 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member encyclo is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 31, 2003
votes: 2

Blaming Google for the worm is like blaming the Yellow Pages when a telemarketer calls: it is just a tool used by the worm, which could just have well used MSN or Yahoo.

At least Google are working to mitigate the problem, and undoubtedly will learn from the experience and will be better prepared in the future.

There is no connection between this story and the GDS problems, apart from the desperate grab for headlines.

4:43 pm on Dec 22, 2004 (gmt 0)

Administrator from US 

WebmasterWorld Administrator brett_tabke is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 21, 1999
votes: 11

> Blamming Google

Agreed, but it is up to Google to act when they know they are the major link in a the conduit for a virus to propogate.

7:17 pm on Dec 22, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member googleguy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Oct 8, 2001
votes: 0

I believe that our "Contact Us" page has a security-specific address; it could be that the people trying to reach us emailed to the main address. I wouldn't be surprised if our security team proactively reaches out to the anti-virus companies to make sure that they've got a specific email address that they can use next time.
7:19 pm on Dec 22, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Jan 1, 2004
votes: 0

A security flaw in phpBB made the front page again? Half of this has nothing to do with Google security; the other half should read, "Industry applauds Google for speedy reaction."

Anyone running GDS is automatically protected, and as has already been stated, prank callers looking up numbers in a phone book is nothing new and nothing novel.

8:10 pm on Dec 22, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member whoisgregg is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Dec 9, 2003
votes: 0

This case is now over. The Santy worm is not spreading any more, thanks to Google.

Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.

(Above from the F-Secure weblog, removed link due to TOS.)

They also had voiced confusion over the right people to email at Google. Looks like F-Secure is linked up with the Google security folks now which should be an example for other anti-virus companies and other search engines. ;)

<edit>Forgot about no "blog" links.</edit>

8:48 pm on Dec 23, 2004 (gmt 0)

New User

10+ Year Member

joined:Mar 21, 2004
votes: 0

it's actualy a php exploit, PHP should be upgraded to 4.3.10, phpbb and other forum software is just one way in. This realy should have been taken care of by the hosting companies running the servers before the attacks not after, I was attacked and don't even run phpbb on the sites affected.

Recently a serious exploitable issue was discovered in PHP (the scripting language in which phpBB, IPB, vB, etc. are written) versions prior to 4.3.10. The problematical functions include unserialize and realpath. phpBB (along with a great many other scripts including IPB, vB, etc.) use these two functions as a matter of course.

[phpbb.com ]
9:06 pm on Dec 23, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 24, 2004
votes: 0

Hey Google Guy is that what it took to get you out of retirement. So now you're here about the sandbox when are you letting my sites out. Go on spill the beans its Chrsitmas I wont tell Larry and Sergey!...
9:58 pm on Dec 23, 2004 (gmt 0)

Senior Member

joined:Dec 29, 2003
votes: 0

Google security will take another beating once writers find out that people can knock off their competitor SERPS via 302 or Meta Refresh re-directs..

They can't say they weren't aware of it either. In addtion to $billions, with power and market share comes responsibility and an obligation to try to do the right thing so little people don't get screwed.

10:55 pm on Dec 23, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Oct 24, 2004
votes: 0

I agree with you and its very hard to understand. Google said that a competitor would never be able to hijack your site but its here and its real and they are not saying anything or offering any comfort to the sites affected that it will be resolved.
6:23 am on Dec 24, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:June 29, 2004
votes: 0

Hey Guys..

Even i was affected with this Virus

This site is defaced!
"NeverEverNoSanity" generation 18....

but that damn virus affected my two sites..
lucky me that i was checking my sites as usual and i found this message on my sites and i was scared coz i haven't seen such things earlier....

wel neways i was having the back up and i uploaded

i hope it will be fine.....and there will be no attack by the same virus....



Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members