Fizzer worm more interesting than harmful

A peculiar hybrid

  • alert
  • submit to reddit

Security for virtualized datacentres

Looking at the fizzer worm, one has some difficulty defining it clearly. It uses various means of propagation such as e-mail and P2P shares and attempts several destructive activities, but it doesn't get all of its core business quite right.

Perhaps it tries to do too much. It propagates via e-mail; it finds the KaZaA directory and infects files to be shared; it floods IRC with bots that so far have done little but flood IRC, though they do have destructive potential; it logs the host's keystrokes, saves them to an encrypted file and opens a backdoor; it attempts to disable anti-virus software; and it tries to update itself automatically. If it had been fully debugged and polished before being released for the first time, it might now be making a mess of the Internet and inspiring the US Department of Homeland Security to action, or at least to holding several press conferences in which action would be discussed.

The chief weakness is that the worm hasn't got an efficient e-mail routine and requires user interaction to propagate. While this guarantees that it will spread because there are people who will open e-mail attachments no matter how many times they're warned, this is not the the way to achieve the sort of instant 'market penetration' that Code Red or Nimda did by automatically exploiting software vulnerabilities. It's been reported that the virus mails itself to everyone in a host's Windows address book, but this appears to be untrue. It does mail itself to randomly-generated e-mail addresses, which helps explain its rather slow spread. Beyond that, it was designed to update itself by reaching out to a single Web site, in this case one that was closed promptly. Interestingly, it has its own un-install routine, distinguishing its author as one of the more thoughtful virus writers.

It is trying to establish a large, overarching botnet on IRC, though with limited success. Each host is logged into two randomly-chosen IRC networks with randomly-chosen nicks. The bots accept numerous commands though not all of them work at the moment. One command enables IRC admins to initiate the uninstall routine, clearing the virus from infected hosts, and several people are actively doing so.

This discovery is the result of an unusual cooperative effort among IRC admins called IRC-Unity, which was launched specifically to address fizzer. It's in IRC that the worm's negative effects are mainly concentrated. While not particularly destructive, it does create bandwidth problems for some networks and of course gobbles up a large number of connections.

John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says.

We spoke with several members of IRC-Unity and the consensus is that if the worm were fully functional it would be a tremendous burden on IRC overall. As it is, some smaller nets are anticipating bandwidth charges considerably higher than they're prepared to deal with. A small network can see its resources drained considerably by an infestation of bots. Susan Jones-Anderson, Network Administrator of FinancialChat.com, is one of those whose IRC operation has been hit disproportionately hard because of its small size.

Several admins we spoke with say that, despite its flaws in execution, fizzer is by far the best concept they've seen for launching mass attacks via IRC. Most agree that the current version is a beta being field tested and debugged by the author, and they expect to see a fully-functional, truly efficient version coming out in the near future.

Fortunately, this trial run has given IRC operators a heads up on the virus and enabled them to develop effective countermeasures. "A lot of networks are currently actively sending these commands to the bots as they join the network," McGarrigle says. "Once we hit that golden number of disinfecting more hosts than are being infected, we will be eating into the number of infected hosts. So, slowly but surely, the vast majority of fizzer infected PC's will be cleaned."

This brings up a recurring debate on just how far an administrator should be allowed to go in defending his network from attack. In this case the countermeasures are ultimately therapeutic, but they may still be illegal because they involve running code on a machine belonging to someone else. In August 2002 we described a method for remotely disinfecting Nimda, which generated a considerable flood of reader e-mail both for and against. In the mean time, little consensus on how and when one might be justified in taking such action has emerged in the wider security community.

But if fizzer should return in a fast-spreading, more destructive version, this sort of counterattack might be the only plausible way of dealing with it. In that case it would be nice for admins to know whether or not they're breaking the law. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.