Preliminary evaluation of Santy outbreak

Google has announced that it will block search requests from Santy in order to prevent the worm from spreading further. I don’t think that this is enough to solve the problem. The authour can always release new versions that use other search engines – MSN or Yahoo, for instance.

What is worse, we have discovered a new verision of Santy. It seems very likely that some ‘script kiddies’ have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm’s file.

It is hard to count the exact number of site infected by Santy over the past 24 hours. Search engines only find the texts created by the worm that are still online. Many other sites have been disinfected or closed down. My first rough estimate would put the number at several hundred web sites worldwide. However, due to the above, the actual number may be well in the thousands.

PS So far the maximum number of Santy.a generations we have seen remains at 24:

Preliminary evaluation of Santy outbreak

Your email address will not be published.



APT trends report Q1 2022

This is our latest summary of advanced persistent threat (APT) activity, focusing on events that we observed during Q1 2022.

Lazarus Trojanized DeFi app for delivering malware

We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor.

MoonBounce: the dark side of UEFI firmware

At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41.

Subscribe to our weekly e-mails

The hottest research right in your inbox