Fizzer worm more interesting than harmful

A peculiar hybrid

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Looking at the fizzer worm, one has some difficulty defining it clearly. It uses various means of propagation such as e-mail and P2P shares and attempts several destructive activities, but it doesn't get all of its core business quite right.

Perhaps it tries to do too much. It propagates via e-mail; it finds the KaZaA directory and infects files to be shared; it floods IRC with bots that so far have done little but flood IRC, though they do have destructive potential; it logs the host's keystrokes, saves them to an encrypted file and opens a backdoor; it attempts to disable anti-virus software; and it tries to update itself automatically. If it had been fully debugged and polished before being released for the first time, it might now be making a mess of the Internet and inspiring the US Department of Homeland Security to action, or at least to holding several press conferences in which action would be discussed.

The chief weakness is that the worm hasn't got an efficient e-mail routine and requires user interaction to propagate. While this guarantees that it will spread because there are people who will open e-mail attachments no matter how many times they're warned, this is not the the way to achieve the sort of instant 'market penetration' that Code Red or Nimda did by automatically exploiting software vulnerabilities. It's been reported that the virus mails itself to everyone in a host's Windows address book, but this appears to be untrue. It does mail itself to randomly-generated e-mail addresses, which helps explain its rather slow spread. Beyond that, it was designed to update itself by reaching out to a single Web site, in this case one that was closed promptly. Interestingly, it has its own un-install routine, distinguishing its author as one of the more thoughtful virus writers.

It is trying to establish a large, overarching botnet on IRC, though with limited success. Each host is logged into two randomly-chosen IRC networks with randomly-chosen nicks. The bots accept numerous commands though not all of them work at the moment. One command enables IRC admins to initiate the uninstall routine, clearing the virus from infected hosts, and several people are actively doing so.

This discovery is the result of an unusual cooperative effort among IRC admins called IRC-Unity, which was launched specifically to address fizzer. It's in IRC that the worm's negative effects are mainly concentrated. While not particularly destructive, it does create bandwidth problems for some networks and of course gobbles up a large number of connections.

John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says.

We spoke with several members of IRC-Unity and the consensus is that if the worm were fully functional it would be a tremendous burden on IRC overall. As it is, some smaller nets are anticipating bandwidth charges considerably higher than they're prepared to deal with. A small network can see its resources drained considerably by an infestation of bots. Susan Jones-Anderson, Network Administrator of FinancialChat.com, is one of those whose IRC operation has been hit disproportionately hard because of its small size.

Several admins we spoke with say that, despite its flaws in execution, fizzer is by far the best concept they've seen for launching mass attacks via IRC. Most agree that the current version is a beta being field tested and debugged by the author, and they expect to see a fully-functional, truly efficient version coming out in the near future.

Fortunately, this trial run has given IRC operators a heads up on the virus and enabled them to develop effective countermeasures. "A lot of networks are currently actively sending these commands to the bots as they join the network," McGarrigle says. "Once we hit that golden number of disinfecting more hosts than are being infected, we will be eating into the number of infected hosts. So, slowly but surely, the vast majority of fizzer infected PC's will be cleaned."

This brings up a recurring debate on just how far an administrator should be allowed to go in defending his network from attack. In this case the countermeasures are ultimately therapeutic, but they may still be illegal because they involve running code on a machine belonging to someone else. In August 2002 we described a method for remotely disinfecting Nimda, which generated a considerable flood of reader e-mail both for and against. In the mean time, little consensus on how and when one might be justified in taking such action has emerged in the wider security community.

But if fizzer should return in a fast-spreading, more destructive version, this sort of counterattack might be the only plausible way of dealing with it. In that case it would be nice for admins to know whether or not they're breaking the law. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.