Fizzer worm more interesting than harmful

A peculiar hybrid

Looking at the fizzer worm, one has some difficulty defining it clearly. It uses various means of propagation such as e-mail and P2P shares and attempts several destructive activities, but it doesn't get all of its core business quite right.

Perhaps it tries to do too much. It propagates via e-mail; it finds the KaZaA directory and infects files to be shared; it floods IRC with bots that so far have done little but flood IRC, though they do have destructive potential; it logs the host's keystrokes, saves them to an encrypted file and opens a backdoor; it attempts to disable anti-virus software; and it tries to update itself automatically. If it had been fully debugged and polished before being released for the first time, it might now be making a mess of the Internet and inspiring the US Department of Homeland Security to action, or at least to holding several press conferences in which action would be discussed.

The chief weakness is that the worm hasn't got an efficient e-mail routine and requires user interaction to propagate. While this guarantees that it will spread because there are people who will open e-mail attachments no matter how many times they're warned, this is not the the way to achieve the sort of instant 'market penetration' that Code Red or Nimda did by automatically exploiting software vulnerabilities. It's been reported that the virus mails itself to everyone in a host's Windows address book, but this appears to be untrue. It does mail itself to randomly-generated e-mail addresses, which helps explain its rather slow spread. Beyond that, it was designed to update itself by reaching out to a single Web site, in this case one that was closed promptly. Interestingly, it has its own un-install routine, distinguishing its author as one of the more thoughtful virus writers.

It is trying to establish a large, overarching botnet on IRC, though with limited success. Each host is logged into two randomly-chosen IRC networks with randomly-chosen nicks. The bots accept numerous commands though not all of them work at the moment. One command enables IRC admins to initiate the uninstall routine, clearing the virus from infected hosts, and several people are actively doing so.

This discovery is the result of an unusual cooperative effort among IRC admins called IRC-Unity, which was launched specifically to address fizzer. It's in IRC that the worm's negative effects are mainly concentrated. While not particularly destructive, it does create bandwidth problems for some networks and of course gobbles up a large number of connections.

John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says.

We spoke with several members of IRC-Unity and the consensus is that if the worm were fully functional it would be a tremendous burden on IRC overall. As it is, some smaller nets are anticipating bandwidth charges considerably higher than they're prepared to deal with. A small network can see its resources drained considerably by an infestation of bots. Susan Jones-Anderson, Network Administrator of FinancialChat.com, is one of those whose IRC operation has been hit disproportionately hard because of its small size.

Several admins we spoke with say that, despite its flaws in execution, fizzer is by far the best concept they've seen for launching mass attacks via IRC. Most agree that the current version is a beta being field tested and debugged by the author, and they expect to see a fully-functional, truly efficient version coming out in the near future.

Fortunately, this trial run has given IRC operators a heads up on the virus and enabled them to develop effective countermeasures. "A lot of networks are currently actively sending these commands to the bots as they join the network," McGarrigle says. "Once we hit that golden number of disinfecting more hosts than are being infected, we will be eating into the number of infected hosts. So, slowly but surely, the vast majority of fizzer infected PC's will be cleaned."

This brings up a recurring debate on just how far an administrator should be allowed to go in defending his network from attack. In this case the countermeasures are ultimately therapeutic, but they may still be illegal because they involve running code on a machine belonging to someone else. In August 2002 we described a method for remotely disinfecting Nimda, which generated a considerable flood of reader e-mail both for and against. In the mean time, little consensus on how and when one might be justified in taking such action has emerged in the wider security community.

But if fizzer should return in a fast-spreading, more destructive version, this sort of counterattack might be the only plausible way of dealing with it. In that case it would be nice for admins to know whether or not they're breaking the law. ®

Sponsored: 5 critical considerations for enterprise cloud backup