Anti-Santy Worm Patches phpBB Flaw

sebFlyte writes "Interesting Santy worm story -- there's now an anti-Santy worm proliferating, which spreads the same way as a normal worm, but rather than killing machines or taking control of them, it gives them security updates..." We mentioned the Santy worm about ten days ago.

Not very benificial

[lightdarkness]

Is reporting [f-secure.com] that they don't know if the worm actually patches it sucessfully. For all we know, it could be infecting the System. When searching [msn.com], only 3 results came up.

Re:White Knight Viruses/Worms?

[lachlan76]

No, there was another one, the Nachi virus.

IIRC, this caused as much damage as a normal worm. It crashed systems, destroyed windows installations, etc. etc.

Nice thought but...

[Tajas]

This was a nice thought of sorts on the writers hands and is a good wake-up call to make people upgrade their outdated sites. I did a simple google search and found 2 sites that were hit by this anti-santy worm. I wonder what the admins of these sites are going to tell the people they work for?

Below are 2 sites that as of this posting have:
viewtopic.php secured by Anti-Santy-Worm V4

Your site is a bit safer, but upgrade to >= 2.0.11 !!
Upgrsrv:201.255.84.219/

http://www.ifotografi.it/secure.php/ [ifotografi.it]

http://www.forum.moto-portal.pl/secure.php/ [moto-portal.pl]

The Code

[RobertTaylor]

Full code of asw.txt here.... [greatdeal.co.uk]

This is the code of the worm extracted from a vulnerable box.

# asw: anti santy worm
# this worm will try to fix any viewtopic.php on local box
# will use this box for 1 day to search other buggy phpBB forums, and end.
etc...

Re:which brings up another question...

[mobby_6kl]

You can just download the BeOS setup file (about 45-50mb) and run it as any other program. The rather normal installation process follows, it creates some files on a (preferably) FAT partition, all you then need to do is double-click the BeOS icon and the computer will reboot into BeOS. Download is availible here. [bebits.com]

Re:Concealed ends?

[nazarijo]

yes, this has been thoroughly investigated. i've done several writeups and linked to papers and analysis on wormblog [wormblog.com].

i am wholeheartedly against "benevolent worms".

Re:Security update?

[Anonymous Coward]

No. It is more like knowing that a kick to the door will pop it open, after which you replace the faulty tumbler.

The open door analogy is flawed because it operates under the pretense that an open door is faulty. A door can be open by design. A programming bug is not open by design. It is an error, just like a tumbler on a closed door which fails under physical pressure.