NEWS FROM THE LAB - Wednesday, December 22, 2004

Wrapup on case Santy Posted by Mikko @ 06:17 GMT

This case is now over. The Santy worm is not spreading any more, thanks to Google.

Google started filtering the queries made by the worm around midnight GMT, effectively stopping the spread of the worm. Apparently they are doing this based on a combination of the search terms and the User-Agent header field.

This is from an email we got from the Google Security Team:

  While a seven hour response for something like this is not outrageous,
  we think we can and should do better. We will be reviewing our
  procedures to improve our response time in the future to similar problems.

Google has also started showing the defaced websites in it's index. MSN Search already had them visible over 12 hours ago, so apparently the indexing process takes longer at Google.

Like we reported earlier, MSN Search reports huge numbers of websites to be affected. However, if you keep viewing the search index pages, you get different results. MSN Search reports 29,000 hits, but runs out of the hits already on search index page 15 - with 153 actual hits shown. Google finds 202 defaced sites right now. It's hard to estimate how many actual sites got hit.

Results from MSN
Results from Google

Another thing that can be figured out from the search engines is the generation count of the worm. Santy displays it's generation number in the defacement. So, say, generation 5 would mean that this specific instance of the worm would have infected four web sites before this one.

The highest generation count we've been able to locate is 22.

Santy Generation 22

We won't be seeing much higher generation counts. One reason for that is that Santy gets easily corrupted. The exploit it uses is only able to transfer around 20 bytes of data at a time. So the worm transfers itself from one web site to another in small chunks. If a chunk gets missing, the worm might still work fine (it's Perl script, after all...Perl looks like line noise anyway) - or it might fail. More generations there are, more likely is it to fail because of this.

We can also adjust the first sighting time for this worm. One of our readers reports seeing Santy infection attempts in his phpBB logs already at 9:25 GMT on 20th of December - which is 18 hours earlier than our earliest sighting so far (thanks, Constantinos).

That's it. From our point of view this is now case closed.