Although the concept of an automatic network worm that randomly targets sites with PHP vulnerabilities sounds really bad, in practice these latest Santy variants haven't gotten out of control.

This operation seems to be run by a group of Brazilian hackers that are creating a botnet which is controlled via an IRC server operating under gigachat.net.

We checked the channel recently and it had less than 100 bots on it. So while there are lots of vulnerable sites out there, this worm is still under control.

It's actually surprising there aren't more infections, as the worm seems to be bounding some PHP sites aggressively, even to the point of creating a denial-of-service by just overloading them. This hits worst the sites that are best picked up by search engines. One administrator reported seeing 1-2 hits to his site every second for the past 20 hours.

In fact, the Santy variants that were found during Christmas holidays shouldn't be categorized under the Santy family at all - the code is different and they are targetting a different vulnerability. The only similarities are that they all are written in Perl, all target PHP sites and all use search engines.

Update:The latest variants have now indeed been categorized under a new family called "Spyki".