Forgot your password?
typodupeerror
Worms Security PHP Programming

Anti-Santy Worm Patches phpBB Flaw 245

Posted by michael
from the whether-you-like-it-or-not dept.
sebFlyte writes "Interesting Santy worm story -- there's now an anti-Santy worm proliferating, which spreads the same way as a normal worm, but rather than killing machines or taking control of them, it gives them security updates..." We mentioned the Santy worm about ten days ago.
This discussion has been archived. No new comments can be posted.

Anti-Santy Worm Patches phpBB Flaw

Comments Filter:
  • Not very benificial (Score:5, Informative)

    by lightdarkness (791960) * on Friday December 31, 2004 @12:26PM (#11228159) Homepage Journal
    Is reporting [f-secure.com] that they don't know if the worm actually patches it sucessfully. For all we know, it could be infecting the System. When searching [msn.com], only 3 results came up.
    • by smartdreamer (666870) on Friday December 31, 2004 @02:09PM (#11228865)
      If you are waiting for a Anti-Virus company to say "this virus is good and effective" you will wait a long time.

      What I see is a company saying we are first to report but we wont say anything that can be good for our "enemy". There is nothing difficult about testing its efficiency but it is not in their interest.

      I am not saying this worm is good, but that if they wanted to verify it would be easy.

  • Aren't... (Score:5, Funny)

    by Anonymous Coward on Friday December 31, 2004 @12:27PM (#11228170)
    worms that remove/kill the MS OS is the same as a security patch?
  • hohoho (Score:2, Funny)

    by Anonymous Coward
    Ho-ho-holes
  • by Chemisor (97276) on Friday December 31, 2004 @12:28PM (#11228172)
    "You see Mom, there are Good worms and there are Bad worms"
  • White Worms (Score:3, Interesting)

    by ErichTheWebGuy (745925) on Friday December 31, 2004 @12:28PM (#11228175) Homepage
    I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.
    • Re:White Worms (Score:3, Interesting)

      by savagedome (742194)
      White worms? Ha! I prefer to call them Earthworms since they belong to both sides!
    • by Texodore (56174) on Friday December 31, 2004 @12:30PM (#11228199)
      I have a white worm the updates my system. It pops with the name "Automatic Updates."
    • Re:White Worms (Score:5, Insightful)

      by antifoidulus (807088) on Friday December 31, 2004 @12:32PM (#11228212) Homepage Journal
      Till the worm installs a security patch that causes a bug that it takes someone hours upon hours of debugging to locate. People should be allowed to patch when they want. Patches aren't always 100% correct, and some can cause some major havoc. Let each person decide if/when the patch is needed...
      • And viruses and worms don't cause even more "major havoc?"
        • Yes they do, but there are more ways to deal with them than just "patching" ya know. Everyone knows their own situation best, it's a bit arrogant to force other people to do "what is good for them". Everyone should be in charge of their own systems, simple as that.
      • Re:White Worms (Score:4, Insightful)

        by grumbel (592662) <grumbel@gmx.de> on Friday December 31, 2004 @12:41PM (#11228299) Homepage
        ### Patches aren't always 100% correct, and some can cause some major havoc.

        If I have the choice between havoc caused by a patch and havoc caused by a hostile breakin into the system, I'll pick the havoc caused by the patch, that at least doesn't leave any hidden backdoors behind.
      • Till the worm installs a security patch that causes a bug that it takes someone hours upon hours of debugging to locate. People should be allowed to patch when they want. Patches aren't always 100% correct, and some can cause some major havoc. Let each person decide if/when the patch is needed...

        For home users this should be a non-issue. Just install the patch. Businesses need to be a little more careful.
      • Re:White Worms (Score:3, Insightful)

        by Bam359 (796809)

        Let each person decide if/when the patch is needed

        What kind of sewed vision of the world do you have that would allow you to make such a comment?

        If a person is intelligent enough to patch their system, then they need not worry about the worm, as they will have patched their systems against it! Those not intelligent enough to patch their systems will get infected, and then have their system patched, its win-win.

        It is a similar concept to those bar code scanners we have at work: The letters of t

        • Obviously you're not the admin of an enterprise server room.

          Pretty much any organization of a decent size is going to have a production environment, and a pre-production testing environment. Pretty much all of these organizations are going to have checklists to make ANY changes to the production environment -- one of which is usually an installation/test period in the pre-production environment.

          Let's say there's a worm out there that can infect a system in the production environment. Let's say there's a
      • But if someone's machine has a security hole and they are say, already infected with a virus/worm that is actively attacking and attempting to infect other machines, and the user is blissfully unaware of this, (read: negligent) then isn't this a fair way to react to the problem that they are facillitating?

        If someone's car stalls out on a travel lane of a highway and they just leave it to go home and think about what to do, the police will have it towed, to protect public safety. If the driver returns to f
    • Re:White Worms (Score:5, Insightful)

      by aborchers (471342) on Friday December 31, 2004 @12:34PM (#11228224) Homepage Journal
      In principle they seem good, but what about when a white worm installs a patch that interferes with legitimate operation of the system? It is perfectly possible a vulnerability was left alone by the operator because the patch would have rendered the system unusable and that security measures external to the vulnerable system render the vulnerability moot.

      Of course, such machines aren't the ones likely to intersect common worm spread vectors...

      • It is perfectly possible a vulnerability was left alone by the operator because the patch would have rendered the system unusable and that security measures external to the vulnerable system render the vulnerability moot.

        No, it is not, since the patch-worm uses the same vulnerability the bad-worm exploits. So if the good worm can get in, the bad worn can do this as well.

        • You miss the point. If I have a system with a vulnerability on the network that is protected by an external layer of security (e.g. a firewall or gateway that blocks access to the vulnerable service) then the machine is effectively as invulnerable as if it had been patched (with respect to traffic from outside that gateway). Example: my httpd may have a security flaw, but if I have blocked port 80 at the firewall, then no request will ever be able to exploit that it.

          It is routine security practice to test
          • You miss the point. If I have a system with a vulnerability on the network that is protected by an external layer of security (e.g. a firewall or gateway that blocks access to the vulnerable service) then the machine is effectively as invulnerable as if it had been patched (with respect to traffic from outside that gateway). Example: my httpd may have a security flaw, but if I have blocked port 80 at the firewall, then no request will ever be able to exploit that it.

            But if port 80 is blocked, the good w

      • I suggest we stop these useless speculations and wait until your hypothetical case becomes reality. And even in the unlikely case that this white worm causes harm to one system, this is more than compensated by many other systems that it successfully fixes.
        • Aren't you making an awful lot of assumptions about the nature of the machines fixed? Is it worth it to patch 1000 spam zombies but bring down one air traffic control system?

    • Re:White Worms (Score:5, Interesting)

      by GoofyBoy (44399) on Friday December 31, 2004 @12:36PM (#11228245) Journal
      From the article;

      "If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."
    • Conundrum (Score:2, Interesting)

      by jabber01 (225154)
      White worms are a nice theory, but I think they should be fought just as vehemently by anti-virus software as malicious ones.

      Holes they use should never be left unpatched, even if the worm's patches are not applied.

      Consider: If there was a benign strain of HIV out there that immunized you to Herpes upon infection, would you give up condoms?
    • I feel that white worms, when done correctly, are a good thing
      This is a code-phrase used by guys who meet at rest-stops or in bathhouses, isn't it?
      This is a case where the ends justify the means....
      Yeah, I though so.

      Not that there's anything wrong with that....
    • The ends justify the means? I don't think so! When the white worm author determines what the ends are, and what correctly is, it is still just a worm. Anything installed behind my back on my computer is bad, evil, no-good-nick!
    • by Anonymous Coward
      Also purple worms, when handled correctly, are a good thing. If you're wearing a ring of slow digestion you can try to get swallowed on purpose for a respite. Even better, charm one for a pet; they're very tough, superior to Archons even in the endgame. (A pet purple worm can clear out the Castle easily) Or you could always polymorph to one, assuming you have some sort of polymorph control.

      If, somehow, you get infected by a worm, or maybe Juiblex, remember to use a unicorn horn immediately, or eat some euc
    • I agree with that, white worm when done right is a good thing. However to be really a good thing such a white worm needs to be official, ie. signed by those who have written the valuable software, else any bad worm could come by, add a little "I patched your system" message and in reality just install a backdoor. There is of course still the danger that a evil worm got first into the system before the white worm could fix it so some audit on what changed in the system is still necessary, but it could at lea
    • Re:White Worms (Score:5, Insightful)

      by Niet3sche (534663) on Friday December 31, 2004 @01:54PM (#11228765)
      I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.

      I disagree.

      I very nearly wrote an anti-code-blue worm a few years back, and got to the point of payload (patch) deployment when the glaring flaw came to me: any time that you or a program that you made does something unexpected, or makes a connection to another machine, YOU are liable for what happens. Given that heterogeneous computers and networks exist, can you test for 100% of all possible cases? Likely not.

      It's not so much that I disagree with the sentiment, you see, but I find it impossible to ever run into the case that a white worm is done correctly and can be certified as such.

      In the example above, for instance, all that an attacker would have to do would be to infect a netblock with Code Blue, point them at my anti-blue worm launcher, and then watch the fun as I "cause" a DDOS with all the network traffic that will go spewing back and forth between the two sites. The attacker has now been able to effect the Availability of two sites in one go. Not exactly something that I'd like my name attached to, hence the reason that no anti-code-blue-worms have been released into the wild from me.

    • A truly benign white worm would be a marvel on a level with cold fusion.

      Realistically though, white worms are the kudzu of computer science.
    • She gets them from eating flea eggs.
  • Concealed ends? (Score:4, Insightful)

    by mOoZik (698544) on Friday December 31, 2004 @12:29PM (#11228183) Homepage
    Is it possible the "benevolent" worm actually does damage covertly? Has this been investigated thoroughly?

    • Is it possible the "benevolent" worm actually does damage covertly? Has this been investigated thoroughly?
      The only way to know for sure is if it's released under a free/open source license, such as the GNU GPL.
    • anything that surreptitiously enters my computer for any reason would be considered damage, even if the intent is benevolent. Why? Because I like my ability to choose what to do and not to do, or at least choose the option to let things happen automatically.

      Choice, the problem is choice.

      • You assume that everyone can make the right choice, and quick enough to have any effect. I'm a believer in democracy, and freedom, or whatever, but there are times when a dictatorship are absolutely necessary.
    • Re:Concealed ends? (Score:2, Informative)

      by nazarijo (606415)
      yes, this has been thoroughly investigated. i've done several writeups and linked to papers and analysis on wormblog [wormblog.com].

      i am wholeheartedly against "benevolent worms".

  • Is there a satisfaction guarantee with the virus?

    Wasn't there a Welcha worm that cleaned up Blaster, and once the path was clear, it just gave you another virus? :p
  • A bit uneasy... (Score:2, Interesting)

    this does sound a bit sneaky and intrusive, but if it's breaking into computers and doing good deeds perhaps we should just let it. After all, people sure as hell aren't doing security updates on their own, might as well let somebody do them.
    • Re:A bit uneasy... (Score:3, Insightful)

      by Tired_Blood (582679)
      If everyone were using the same indentical machines and configuration, then perhaps. But that's just not going to be the case.

      Here's my take on these types of worms:

      I have evidence which leads me to strongly believe that your kitchen faucet is leaking, badly. This will no doubt cause flooding and damage. Instead of warning you about it, I (a random citizen) will now fix this problem for you.

      Of course, since I don't know your home, I may break something unrelated to your current problem. But don't wor
  • Still illegal (Score:4, Insightful)

    by Anonymous Coward on Friday December 31, 2004 @12:29PM (#11228189)
    The author of this worm still doesn't have permission to modify the source code running on people's servers. Yes, they may be idiots, but idiots still have rights (for the moment).
    • This is like the vigilante cop who knows beyond a shadow of a doubt that a suspect is guilty of a heinous crime and also knows that he'll never get enough evidence to convite the suspect before he strikes again. So he goes and 'anonymously' drops a cap in the suspects head.

      Is it just? The cop thought so.
      Is it ethical or legal? Nope.
      Is it safe? Uh-uh.
      Did he save lives? Very possibly.

      The cop can sleep at night and the 'bad guy' doesn't committ any more crimes. Society is served... assuming the cop was right
      • Re:Still illegal (Score:4, Insightful)

        by fyngyrz (762201) on Friday December 31, 2004 @03:26PM (#11229306) Homepage Journal

        In the real world, however, vigilante justice is often flawed and often destroys the lives of innocents. It's not hard to find examples from the lowest level-- the accidental killing of people living next door to a bail-jumper-- to the highest-- the unilateral invasion of a sovreign nation on false pretense.

        Note: My reply is entirely US-centric.

        Although both your examples in the quoted passage are examples of the system screwing up, not vigilantes screwing up, I think I do recognize the tone you're trying to take -- that vigilantes can make errors. I interpret your message as carrying an underlying tone that this is a reason to avoid citizen level responses. You weren't explicit about this, so feel free to correct me if I got it wrong. Proceeding on that assumption, though:

        That, and more, can be said for the formal justice system as well. The only difference is that the mistakes are made by someone who represents "duly constituted authority and power", rather than someone who took authority and power for themselves.

        Look at the facts. Judges and juries put innocents behind bars on a regular basis. (Witness the recent DNA exoneration of those folks on death row and the subsequent removal of all prisoners from death row by the governor, a man who I frankly consider a hero for this action.) Citizen's supposedly inviolate rights are trampled, and hard, by the courts. Every day. Guantanimo. Registration. Double jeopardy. Freedom of speech. Freedom from unreasonable search. Restrictions on travel. Government support of religion. Etc., ad nauseum. Reparations for errors in prosecution and punishment are minimal or non-existant, and of course for capital punishment, impossible. "Mommy" laws that should never become law are inflicted on us left and right, and at times with terrible social and personal consequences (drug laws are the poster child for this one, though they are hardly isolated in either "mommyness" or inherently being agents of harm.)

        The fact is, you should not trust the system to "do right." It hasn't, doesn't, and will not. The evidence is right there before your face each and every day. So the issue of citizen response naturally arises because of pressure from the system.

        Turning to our network experience, consider spam. I don't know about you, but spam has cost me a lot of hours. Not just on my desk, but interfering with my business (asswipes using our domain names as return addresses for spam is one way, there are others.) What has the government done about it? Not a #$%^#$%^ thing in practical terms. In fact, with the CAN-SPAM act, they basically climbed right in bed with the spammers. Should I sit there like a turnip and not respond when the spammers screw with my life? The government isn't addressing the problem, so what is the correct course of action? Bending over?

        Consider software piracy and shrink wrap licensing and software patents. At the legislative level, these issues have been well and truly fumbled, though that surely under-describes the problem. Should I sit there like a turnip and not respond when the pirates steal my software? The government isn't addressing this problem either, so again, what is the correct course of action? Still bending over?

        Viruses and worms -- again, we're supposed to bend over and take it without lube or even a reach-around, right? Because... well, why? Why should we? Why? Most people have been doing just that, and what do we have to show for it? I'll tell you -- we have a bumper crop of viruses and worms, that's what we have.

        It all comes down to one thing: If you trust and wait for the duly-constituted authorities to "do what is right" then you are simply naive. They're almost certainly not going to. They rarely do.

        It turns out that the correct course of action becomes very clear when you think about the important things in your life, and what is actually best for society.

        For instance, i

    • The author of this worm still doesn't have permission to modify the source code running on people's servers. Yes, they may be idiots, but idiots still have rights (for the moment).

      Which raises the question:
      Should the law change?
  • by shigelojoe (590080) on Friday December 31, 2004 @12:30PM (#11228198)
    ...and the Santy worm come in contact, would it cause the server to asplode in a brilliant flash of light?
  • by Novous (844236) on Friday December 31, 2004 @12:31PM (#11228207)
    The problem with a "good" virus, is that because of an oversight, it may cause more damage. It could open up a new expliot, or subtly damage a part of the server.
    • From what I pickup, it changes something in viewtopic.php. If someone's gonna go to the effort of creating a self spreading "fix" then I should think they've tested to make sure it won't do any further damage. That is assuming it is a 'white' worm and if it only touches one file.
    • But the net effect is that a patched system is still better than vulnerable or even exploited one. If you were in the middle of a deadly virus outbreak, wouldn't you prefer to use a vaccine, even if you were only 90% sure that it works?
  • Security update? (Score:5, Insightful)

    by jacobcaz (91509) on Friday December 31, 2004 @12:32PM (#11228213) Homepage
    Is this really a "security update" as much as it's fiddling a bit with some PHP code? And this "beneficial" worm still defaces the site too:
    • Sites that have been attacked by the anti-Santy worm are defaced with the words: "viewtopic.php secured by Anti-Santy-Worm V4. Your site is a bit safer, but upgrade to >= 2.0.11."
    If I break into your house and clean your bathroom you could call me beneficial, but you might get a little upset if I used spray-paint to write "This house is a bit cleaner, but buy some Lysol" on your front door.
  • by mohrt (72095) on Friday December 31, 2004 @12:34PM (#11228226) Homepage
    Using a worm as a way to help instead of wreak havoc, this is an interesting idea. Why don't they carry this idea over to Spam and use it to send me things I'm actually interested in?
  • Anti-IE worm... (Score:5, Interesting)

    by Vague but True (804899) on Friday December 31, 2004 @12:36PM (#11228240)
    How long before someone makes an "Anti-IE" worm that automaticaly installs FF on everyone's computers.
  • by genessy (587377) on Friday December 31, 2004 @12:37PM (#11228249)
    Even if the worm patched the site without defacing it yet again, it's still going to bog down networks by replicating. Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.
    • As I mentioned before, everyone is assuming that even if an admin knew about the vulnerability, they would do something, or know how to do something about it. Worms cause martial law on the internet.
    • Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.

      This sounds really great in theory. Unfortunately, I know too many people who politely explained to someone that that had a security problem, just to have an embarressed admin turn around and claim that the person pointing it out must a hacker breaking into the system.

      I even know a case where a person explained that the password on windows 95

    • In the article Mikko Hyppönen, complained that, "although the worm may seem beneficial, in fact it is likely to cause problems for administrators who will have to handle the increase in traffic."

      But the way I see it your site only gets infected by this worm if you are running an old version of php (less than php-4.3.10). The best way for an admin to deal with the traffic is just patch your system in the first place.

      No vulnerability.
      No worm.
      No increased traffic.

      The time to patch your servers was tw
  • by Epistax (544591) <epistax&gmail,com> on Friday December 31, 2004 @12:40PM (#11228282) Journal
    Driftwood: "It's alright, that's in every contract! That's what they call the 'Sanity Clause.'"
    Fiorello: "Ha-ha-ha-ha-ha. You can't fool me...there ain't no Sanity Clause."
  • by melvo (841054) on Friday December 31, 2004 @12:41PM (#11228296)
    The "success" of viruses and worms so far have been characterised by their ability to reproduce. This bears some resemblance to their genetic counterparts.

    Perhaps the next phase will be a virus or worm that follows genetic theory. The genetic features that would have to be modelled would be:

    1) it is considered beneficial
    2) it can reproduce
    3) it can mutate

    The successful entities would then survive, and the unsucessful mutations would die out. Survival of the fittest?
  • by zogger (617870) on Friday December 31, 2004 @12:42PM (#11228302) Homepage Journal
    ... well, to me anyway because I just don't know. There are a lot of distros out there, including all the various "live" versions, and various ways to install. I am wondering, is there such a beast as a no brainer, one click to install Linux distro that works over the internet and would seamlessly replace a users windows install with a working and safe while downloading and installing linux distro? I mean, a windows user (or another linux user, whatever) clicks on a webpage link and off she goes? With broadband now, it's common to downloand an ISO and burn it, I was just wondering if there was a distro that was designed from the ground up to eliminate that intermediary step. Say someone had finally just had it with windows problems, just said to heck with it, just replace this whole mess with something else, etc. Click, download, install, as easy as a normal app? I know there are "network" installs, but those are usually targeted at corporations where a lot of PCs are on the LAN, etc, I mean one for joe raw beginner newbie home user surfer.
    • You can just download the BeOS setup file (about 45-50mb) and run it as any other program. The rather normal installation process follows, it creates some files on a (preferably) FAT partition, all you then need to do is double-click the BeOS icon and the computer will reboot into BeOS. Download is availible here. [bebits.com]
  • Nice thought but... (Score:2, Informative)

    by Tajas (785666)
    This was a nice thought of sorts on the writers hands and is a good wake-up call to make people upgrade their outdated sites. I did a simple google search and found 2 sites that were hit by this anti-santy worm. I wonder what the admins of these sites are going to tell the people they work for?

    Below are 2 sites that as of this posting have:
    viewtopic.php secured by Anti-Santy-Worm V4

    Your site is a bit safer, but upgrade to >= 2.0.11 !!
    Upgrsrv:201.255.84.219/

    http://www.ifotografi.it/secure.php/ [ifotografi.it]

    htt [moto-portal.pl]
  • The Code (Score:5, Informative)

    by RobertTaylor (444958) <roberttaylor1234&gmail,com> on Friday December 31, 2004 @01:22PM (#11228564) Homepage Journal
    Full code of asw.txt here.... [greatdeal.co.uk]

    This is the code of the worm extracted from a vulnerable box.

    # asw: anti santy worm
    # this worm will try to fix any viewtopic.php on local box
    # will use this box for 1 day to search other buggy phpBB forums, and end.

    etc...
  • If the administrator is not absolutely dumb, the .php file must be not owned by the same user that runs the webserver. Then teh worm can not patch the file with the vulnerability.
    I wish to know more details about how the Anti-Santy patch is done. Any URL?
    A self-spreading worm it is always dangerous, another aproach, doubthly legal byut more polite is the strike back philosophy. If someone attacks you then strike back and patch them (and install other strike back worm). With this technic the infection cou
  • Hasn't this been done before? Everyone praised it as a great idea but later it was found that it also added a, back door. Very sneaky.
  • by human bean (222811) on Friday December 31, 2004 @02:23PM (#11228948)
    If you cannot stop people from doing dumb things and running systems that are open to this sort of abuse, then at least they could be nice enough to not bother the rest of us.

    I need a router/switch/filter that recognises worm/virus traffic for what it is and sets QOS down (or out) on such traffic. Better yet, I want my internet provider to have one. So the neighbor next door's got twelve sessions of Butt Trumpet running on his PC and more broadband in Mbps than he has brain cells to rub together, doesn't mean the pipes I use outta here need to be effected.

    Niceties would be an ability to recognise interactive traffic and flag it for regular service. Not an original idea, by the by, was first mentioned in sf by John Brunner some years back.

    Another project I will never get round to.

    This is the end of the rant. We now return you to your regularly scheduled /. programming. Had this been of actual importance, you would have been instructed where to browse for further news and information. This is only a rant.
  • Reasonable force (Score:2, Insightful)

    by PurpleWizard (643191)
    Be interesting to see if you could use the "reasonable force" defence for actions such as writing a palladin worm.

    "I was just taking reasonable steps to protect my property from the attacks of others"

    • And I thought I was going through get through a /. discussion w/o a reference to Bush. Shal I propose a new corrolary to Goodwin's law? /. discussions will always degenerate to a Bush analogy. The one who makes that analogy, loses.

      And thus one more step is in place for Bush to be compard to the Nazis.

      Doh! I just violated Goodwin's Law! And my own!
      /me ducks
  • But I like installing my OWN updates. I don't care if it's not malware; if it takes the choice out of my hands it's bad news. Keep your paws of my machine, thank you.

    --Tso
  • The method in the first post here [phpbb.com] is currently effective against both - which are PITA DoS attacks, even if phpBB is patched or updated, unless blocked by this or a similar method.

One man's "magic" is another man's engineering. "Supernatural" is a null word. -- Robert Heinlein

Working...