Preliminary evaluation of Santy outbreak

Google has announced that it will block search requests from Santy in order to prevent the worm from spreading further. I don’t think that this is enough to solve the problem. The authour can always release new versions that use other search engines – MSN or Yahoo, for instance.

What is worse, we have discovered a new verision of Santy. It seems very likely that some ‘script kiddies’ have gotten hold of the source code. If this is true, they will create new versions with new features, just like Lovesan. The authour of Lovesan is still free, but several co-authours have been arrested, even though they only changed some text strings in the worm’s file.

It is hard to count the exact number of site infected by Santy over the past 24 hours. Search engines only find the texts created by the worm that are still online. Many other sites have been disinfected or closed down. My first rough estimate would put the number at several hundred web sites worldwide. However, due to the above, the actual number may be well in the thousands.

PS So far the maximum number of Santy.a generations we have seen remains at 24:

Preliminary evaluation of Santy outbreak

Your email address will not be published. Required fields are marked *



APT trends report Q3 2021

The APT trends reports are based on our threat intelligence research and provide a representative snapshot of what we have discussed in greater detail in our private APT reports. This is our latest installment, focusing on activities that we observed during Q3 2021.

Lyceum group reborn

According to older public researches, Lyceum conducted operations against organizations in the energy and telecommunications sectors across the Middle East. In 2021, we have been able to identify a new cluster of the group’s activity, focused on two entities in Tunisia.

Subscribe to our weekly e-mails

The hottest research right in your inbox