Net Worm Uses Google to Spread

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

Head line is way to misleading

[mkop]

There is nothing wrong with google. only with people who have not pathced the php buletin boards

Latest Version of phpBB Unaffected

[akiy]

It looks like the latest phpBB version 2.0.11 [phpbb.com]or a simple patch [phpbb.com] will thwart the worm, though. Time to upgrade if you haven't yet!

snort signatures

[UnderAttack]

The ISC posted a couple of snort sigs [sans.org] and other details.

Re:Latest Version of phpBB Unaffected

[Cutriss]

Yes and no.

It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

Re:Under the Google radar

[rednip]

even better, I did a search on the beta msn site for 'NeverEverNoSanity WebWorm generation' [msn.com], the best that I got as a search result was 20 (well the first couple of pages), but the site read 11 when I went to it, I suppose that the worm is writing over it's own defacement.

Re:Hmmmm

[Sikmaz]

Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Re:Head line is way to misleading

[taylortbb]

Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

phpBB has an explanation of what the problem is, it can be found at:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046 [phpbb.com]

OTHER FORUMS ARE VULNERABLE

(and no, I am not a phpBB zealot, I am pointing out a misconception)

Re:NeverEverNoSanity

[Loether]

The virus is searching google for sites not yet infected. Googling [google.com] for "Powered by phpBB" does return results. Some of which are now defaced.

If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

Re:Under the Google radar

[Anonymous Coward]

umm.. that's just the eicar.com AV test file.. not really a virus - just a file that sets off your AV software so you know it's working. why is this informative?

Re:I got hit HARD! :(

[Anonymous Coward]

That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.

For all of you saying it's a PHP exploit

[VeneficusAcerbus]

From ISC:

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

The Robot Threat

[D_Lehman(at)ISPAN.or]

Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ [robotstxt.org] along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what your login pages look like, for instance.

If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt, .htaccess, proper chmod/chown... these are the things that can prevent a new bug from being a really bad new bug.

Not PHP Bugs - phpBB exploit is used

[a16]

As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

Re:address tag and no robots

[daten]

The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.

http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS [w3.org]

I've used it for years. By the way, how often do you review the html source of webpages you visit?

Re:Ehhh.. Tape drive perhaps??

[Zen Punk]

Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

Re:Under the Google radar

[orangesquid]

You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
0, 1, 2, 3 - no hits
4 - 2335 hits
5 - 9297 hits
6 - 7218 hits
7 - 7288 hits
8 - 10746 hits
9 - 12009 hits
10 - 11752 hits
11 - 14866 hits
12 - 13267 hits
13 - 8393 hits
14 - 13317 hits
15 - 3840 hits
16 - 5004 hits
17 - 1950 hits
18 - 3344 hits
19 - 6 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits

Re:Head line is way to misleading

[a16]

No, what you are saying is false. The phpBB 2.0.10 security issue is not related in any way to the PHP exploits discovered recently. And this worm uses the 2.0.10 exploits, not PHP.

MSN actually returns 207 results

[bharatman]

MSN's first page estimates are always grossly inflated. Try this link instead:

http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

Re:Head line is way to misleading

[sr180]

A board I assist to admin was done and it Runs Invision Power Board on PHP. The worm kept knocking it over, originally it started as version 1.2 but eventually changed to version 1.3.

That indicates to me that someone may have been doing some active development on it...

Clarification

[Sheepdot]

I had to explain this to a colleague earlier in layman's terms, so I'm repeating it here:

For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.

This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the speed in which the exploit was released, it could be that the worm developer had the engine ready and was simply looking for a PHP exploit to come out for a function that was used with a widely available web application package. They hit jackpot with phpBB and PHP together.

The developer didn't thinking to make it so that it added a random element to it's Google searches or didn't use different search engines. In fact, it almost looks like this was simply a trial run for a future worm that will be much more complex and may possibly span a multitude of web applications.

A concept was written up earlier this year here:
http://www.imperva.com/application_defense_ center/ white_papers/application_worms.html?show=appworm

It now appears that niddhog (the concept worm) has been made evident. Fortunately, it did not include such things as Code Red and Nimda did with using IE exploits to infect the clients that would view these websites.

It is a bleak future with the idea of Web Application Worms coupled with IE exploits. Not only do you have the method and distribution combined, but such a thing would be highly anonymous for the malware author and could spread to the highest point of infection in a matter of hours as IE users visited their favorite community websites running exploitable forum software.

Re:This one's fun to debug - perl via url

[Anonymous Coward]

Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
$h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
$HTTP_GET_VARS['highlight']);
$h = preg_replace('/%2e/i', '', $h);
$h = preg_replace('/%27/', "'", $h);
error_log("viewtopic hack attempt: $h", 0);
}

Then it will show you the hack attempts in the error log.

Be sure to upgrade your PHP and phpBB FIRST! ;-)

My webserver just got hit by this

[AC-x]

Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.

Download the full source code

[EqualSlash]

Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
Download link [theaimsgroup.com]

Re:Clarification

[ScottMacVicar]

I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

So this worm only affects phpBB 2.0.10 and below.

Re:phpBB2 need a security mailing list

[lightdarkness]

There is indeed a way to get updates. On source forge, you can subscribe to get updates when new packages are released.

Re:phpBB2 need a security mailing list

[a16]

Don't spread FUD.
Sourceforge offers release trackers which the phpBB team openly point people to if they want mail updates:
http://sourceforge.net/project/filemodule_monitor. php?filemodule_id=28882 [sourceforge.net]
Or of course, there is the RSS feed :
http://www.phpbb.com/rss.php [phpbb.com]
And, after 'popular demand' they are currently working on a special security mailing list that people can subscribe to.

MOD PARENT UP

[a16]

The worm is related to an issue in phpBB 2.0.10 as per the parent, nothing to do with any PHP issues.

I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.

Re:I got hit

[tchuladdiass]

Not only keep up on patches, but also seperation of services. Your web server should run under a chrooted environment at minimum, as a non-privlidged user. Any files that doesn't need to be written to by the web applications (including html and cgi files) should be owned by a different user id (and not world-writable).

The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are needed to support each one's dedicated services (got one set up for bind, sendmail, apache). Each virtual OS session has multiple network interfaces (one is set up as an "internal" network only, another is set up to accept packets redirected from the outside vi iptables rules). Any config/data files that I need to update periodicaly (such as the html files for the web server process) live in a partition on the parent server, NFS exported read-only to the appropriate session's internal virtual ip address. Any files that they need to write to are symlinked to a locally-owned filesystem. Log files are set up append only (still working on this, I was thinking of using one of the user-space filesystems to impliment this feature, or checking if selinux can handle that).

Re:Latest Version of phpBB Unaffected

[Tony Hoyle]

phpBB is very hard to upgrade.

To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).

Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

Re:Ehhh.. Tape drive perhaps??

[Woody77]

In order to have any kind of automated backup solution, a human attacker will be able to get to it.

I see a couple easy blocks to these, though:

1) write a shell script for mounting the backup drive, both onto the SCSI chain and into the filesystem, performing the backup, and then unmount it.

2) round-robin the drives on a regular basis, so an IT monkey can physically swap out sets when needed to provide off-site storage (basically use hot-swap bays like very large, fast tape jukeboxes).

3) encrypt the pertinent scripts, and use yet another script with a bening name to perform the decryption of the shell script, the chmod to executable of it, and then exec'ing it.

****

Yes, it's still hackable, but it ups the bar considerably, and if you're swaping the drives out nightly/weekly, you've got good backups that are offline, and not too old.

Re:Under the Google radar

[defrabelizer]

Google found it. At last, and quite a couple generations to: Gen : Hits 1 : 639 2 : 572 3 : 508 4 : 443 5 : 404 6 : 434 7 : 351 8 : 87 9 : 198 10 : 96 11 : 102 12 : 40 13 : 109 14 : 208 15 : 228 16 : 110 17 : 30 18 : 150 19 : 49 20 : 8 21 : 3 22 : 1 23 : 1 24 : 3 25 - 30: none Ok, well, google dint find as many See what happens when we let script kiddies learn perl