Research

Preliminary evaluation of Santy outbreak

Google has announced that it will block search requests from Santy in order to prevent the worm from spreading further. I don’t think that this is enough to solve the problem. The authour can always release new versions that use other search engines – MSN or Yahoo, for instance.

What is worse, we have discovered a new verision of Santy. It seems very likely that some ‘script kiddies’ have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm’s file.

It is hard to count the exact number of site infected by Santy over the past 24 hours. Search engines only find the texts created by the worm that are still online. Many other sites have been disinfected or closed down. My first rough estimate would put the number at several hundred web sites worldwide. However, due to the above, the actual number may be well in the thousands.

PS So far the maximum number of Santy.a generations we have seen remains at 24:

Preliminary evaluation of Santy outbreak

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox