A worm is a program, a computer virus that reproduces itself and spreads these copies from computer to computer across a network. On a slight variation to this, so-called Google worms also use a computer’s sending and receiving functionality, and use Google to attack other systems by sending queries. If left unchecked, it can flood thousands of mail boxes with these copies of itself and initiate senseless Google searches, so-called denial of service attacks, from the machines that it has infected.
One famous example of a denial of service attack was caused by the worm MyDoom. It attacked Google and several other search engines by using a back door that allowed hackers to take control of infected systems. These back doors made it easy for the worm to harvest email addresses.
But the term Google Worm did not until recently have such a negative connotation to it. The “real” Google Worm (also referred to as The Googlebot, The Google Crawler or The Google Robot) is nothing more than Google’s robot spider that is used by the company to detect and index web pages for its famous search engine database – and for the rest of us to locate and then use, of course.
This little software robot finds sites automatically by “crawling” the web. A given site’s HTML Meta tags make references to its server’s local robots.txt file which in turn give specific directions to the robot as to what can be included in or excluded from the Google database.
Unfortunately, a new form of worm, also referred to as the Google Worm, not only uses Google to attack other systems by sending queries, it also uses Google’s search engine database to locate vulnerable systems, to connect to them and to deface their web sites.
A recent example of such an insidious program is the so-called net-worm.perl-santy.a worm. It queries Google and locates web sites which run a specific version of vulnerable software – in this case it was a version of the open-source PHP scripting language phpBB (bulletin-board) 2.0.11 which, of course, has been fixed in the meantime. Santy.a then connects to those sites and exploits the vulnerability it was designed to exploit, thus gaining access to the server that is running the actual bulletin-board software. It then annihilates critical files (.htm, .php, .asp etc.) and vandalizes the site with meaningless text, its signature so to speak.
One interesting aspect about this new type of worm is the fact that it automatically gathers information. Up until now, hackers had to manually search their victims out. This will certainly appear more and more in the future and will make the need for effective and up-to-date anti-virus software (and regular backups) all the more important.
So what’s the moral of this story? Always be aware of possible inherent dangers when installing an open-source (or any other) software package. And always have a good anti-virus package from a reputable company installed on your system; consider configuring it to automatically update itself. And always keep your operating system patched to the very latest patch level.