Fizzer worm more interesting than harmful

A peculiar hybrid

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Looking at the fizzer worm, one has some difficulty defining it clearly. It uses various means of propagation such as e-mail and P2P shares and attempts several destructive activities, but it doesn't get all of its core business quite right.

Perhaps it tries to do too much. It propagates via e-mail; it finds the KaZaA directory and infects files to be shared; it floods IRC with bots that so far have done little but flood IRC, though they do have destructive potential; it logs the host's keystrokes, saves them to an encrypted file and opens a backdoor; it attempts to disable anti-virus software; and it tries to update itself automatically. If it had been fully debugged and polished before being released for the first time, it might now be making a mess of the Internet and inspiring the US Department of Homeland Security to action, or at least to holding several press conferences in which action would be discussed.

The chief weakness is that the worm hasn't got an efficient e-mail routine and requires user interaction to propagate. While this guarantees that it will spread because there are people who will open e-mail attachments no matter how many times they're warned, this is not the the way to achieve the sort of instant 'market penetration' that Code Red or Nimda did by automatically exploiting software vulnerabilities. It's been reported that the virus mails itself to everyone in a host's Windows address book, but this appears to be untrue. It does mail itself to randomly-generated e-mail addresses, which helps explain its rather slow spread. Beyond that, it was designed to update itself by reaching out to a single Web site, in this case one that was closed promptly. Interestingly, it has its own un-install routine, distinguishing its author as one of the more thoughtful virus writers.

It is trying to establish a large, overarching botnet on IRC, though with limited success. Each host is logged into two randomly-chosen IRC networks with randomly-chosen nicks. The bots accept numerous commands though not all of them work at the moment. One command enables IRC admins to initiate the uninstall routine, clearing the virus from infected hosts, and several people are actively doing so.

This discovery is the result of an unusual cooperative effort among IRC admins called IRC-Unity, which was launched specifically to address fizzer. It's in IRC that the worm's negative effects are mainly concentrated. While not particularly destructive, it does create bandwidth problems for some networks and of course gobbles up a large number of connections.

John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own," McGarrigle says.

We spoke with several members of IRC-Unity and the consensus is that if the worm were fully functional it would be a tremendous burden on IRC overall. As it is, some smaller nets are anticipating bandwidth charges considerably higher than they're prepared to deal with. A small network can see its resources drained considerably by an infestation of bots. Susan Jones-Anderson, Network Administrator of FinancialChat.com, is one of those whose IRC operation has been hit disproportionately hard because of its small size.

Several admins we spoke with say that, despite its flaws in execution, fizzer is by far the best concept they've seen for launching mass attacks via IRC. Most agree that the current version is a beta being field tested and debugged by the author, and they expect to see a fully-functional, truly efficient version coming out in the near future.

Fortunately, this trial run has given IRC operators a heads up on the virus and enabled them to develop effective countermeasures. "A lot of networks are currently actively sending these commands to the bots as they join the network," McGarrigle says. "Once we hit that golden number of disinfecting more hosts than are being infected, we will be eating into the number of infected hosts. So, slowly but surely, the vast majority of fizzer infected PC's will be cleaned."

This brings up a recurring debate on just how far an administrator should be allowed to go in defending his network from attack. In this case the countermeasures are ultimately therapeutic, but they may still be illegal because they involve running code on a machine belonging to someone else. In August 2002 we described a method for remotely disinfecting Nimda, which generated a considerable flood of reader e-mail both for and against. In the mean time, little consensus on how and when one might be justified in taking such action has emerged in the wider security community.

But if fizzer should return in a fast-spreading, more destructive version, this sort of counterattack might be the only plausible way of dealing with it. In that case it would be nice for admins to know whether or not they're breaking the law. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
HP: NORKS' cyber spying efforts actually a credible cyberthreat
'Sophisticated' spies, DIY tech and a TROLL ARMY – report
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story


Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.