Fizzer worm more interesting than harmful

A peculiar hybrid

  • alert
  • submit to reddit

SANS - Survey on application security programs

Looking at the fizzer worm, one has some difficulty defining it clearly. It uses various means of propagation such as e-mail and P2P shares and attempts several destructive activities, but it doesn't get all of its core business quite right.

Perhaps it tries to do too much. It propagates via e-mail; it finds the KaZaA directory and infects files to be shared; it floods IRC with bots that so far have done little but flood IRC, though they do have destructive potential; it logs the host's keystrokes, saves them to an encrypted file and opens a backdoor; it attempts to disable anti-virus software; and it tries to update itself automatically. If it had been fully debugged and polished before being released for the first time, it might now be making a mess of the Internet and inspiring the US Department of Homeland Security to action, or at least to holding several press conferences in which action would be discussed.

The chief weakness is that the worm hasn't got an efficient e-mail routine and requires user interaction to propagate. While this guarantees that it will spread because there are people who will open e-mail attachments no matter how many times they're warned, this is not the the way to achieve the sort of instant 'market penetration' that Code Red or Nimda did by automatically exploiting software vulnerabilities. It's been reported that the virus mails itself to everyone in a host's Windows address book, but this appears to be untrue. It does mail itself to randomly-generated e-mail addresses, which helps explain its rather slow spread. Beyond that, it was designed to update itself by reaching out to a single Web site, in this case one that was closed promptly. Interestingly, it has its own un-install routine, distinguishing its author as one of the more thoughtful virus writers.

It is trying to establish a large, overarching botnet on IRC, though with limited success. Each host is logged into two randomly-chosen IRC networks with randomly-chosen nicks. The bots accept numerous commands though not all of them work at the moment. One command enables IRC admins to initiate the uninstall routine, clearing the virus from infected hosts, and several people are actively doing so.

This discovery is the result of an unusual cooperative effort among IRC admins called IRC-Unity, which was launched specifically to address fizzer. It's in IRC that the worm's negative effects are mainly concentrated. While not particularly destructive, it does create bandwidth problems for some networks and of course gobbles up a large number of connections.

John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says.

We spoke with several members of IRC-Unity and the consensus is that if the worm were fully functional it would be a tremendous burden on IRC overall. As it is, some smaller nets are anticipating bandwidth charges considerably higher than they're prepared to deal with. A small network can see its resources drained considerably by an infestation of bots. Susan Jones-Anderson, Network Administrator of FinancialChat.com, is one of those whose IRC operation has been hit disproportionately hard because of its small size.

Several admins we spoke with say that, despite its flaws in execution, fizzer is by far the best concept they've seen for launching mass attacks via IRC. Most agree that the current version is a beta being field tested and debugged by the author, and they expect to see a fully-functional, truly efficient version coming out in the near future.

Fortunately, this trial run has given IRC operators a heads up on the virus and enabled them to develop effective countermeasures. "A lot of networks are currently actively sending these commands to the bots as they join the network," McGarrigle says. "Once we hit that golden number of disinfecting more hosts than are being infected, we will be eating into the number of infected hosts. So, slowly but surely, the vast majority of fizzer infected PC's will be cleaned."

This brings up a recurring debate on just how far an administrator should be allowed to go in defending his network from attack. In this case the countermeasures are ultimately therapeutic, but they may still be illegal because they involve running code on a machine belonging to someone else. In August 2002 we described a method for remotely disinfecting Nimda, which generated a considerable flood of reader e-mail both for and against. In the mean time, little consensus on how and when one might be justified in taking such action has emerged in the wider security community.

But if fizzer should return in a fast-spreading, more destructive version, this sort of counterattack might be the only plausible way of dealing with it. In that case it would be nice for admins to know whether or not they're breaking the law. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.