Slashdot Mirror
IRC Networks Unite in Fight Against Fizzer Worm
Dave writes "Over the past few days, IRC Networks across the internet have felt the brunt of the Fizzer worm. In an unusual display of geek solidarity, representatives from dozens of IRC Networks, including EFNet, IRCNet and DALnet, have gathered to create a Fizzer Task Force. Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds."
IRC Networks across the internet have felt the brunt of the Fizzer worm.
Now, miniscule web servers, you will feel the brunt of the Slashdot behemoth!
Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds.
And, once this story is published, we'll observe the various effects of futile desperation!
Do you like German cars?
Not to point fingers, but as we all know IRC networks are a major conduit for the distribution of warez. I'm not living in a glass house here, so I'll admit that I've gotten viruses from "packs" downloaded through IRC networks. It's good to see that these guys are coming together and helping to stem the spread of this virus. Unfortunately, I've heard nothing from the KaZaA guys in this line, and they are probably much worse than the IRC people (all their clients are Windows platforms, most of their users are completely clueless, etc.) It takes some skills (not much, but some) to get stuff off IRC. Any jackass can download from KaZaA. That's where the real work needs to be done in order to stop this virus cold.
-A.M.
Pimpin' all the Karma Hoes!
Does this only affect mIRC? Why not just switch to a different IRC client?
Let's help these guys out by /.'ing their co-ordinating page!
I can just see it now, messages telling people to stop pushing their viri.
The preceding post was not a Slashvertisement.
From Symantec:
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Heh. Clearly the work of an evil genius.
GF.
Lots of petrified grits
--anyone else get the impression this is a pro active anti "piracy" move by the music and movie monopolists? That's what I thought of when I first read about this a couple of days ago. Looks like an attempt to shutdown channels of P2P-ish nets.
Anyway, that's how I think with crimes, use flatfoot 101, "who profits?".
Most IRC worms exploit the scripting engines in the IRC clients, not an OS bug.
All of this is contributing, unfortunately, to the Death of IRC
From the official Undernet note in the link:
"At this point, the future of the Undernet and IRC remains uncertain."
Suicide Booth: You are now dead! Thank you for using Stop and Drop, America's favorite since 2008.
it's sort of like an virtual version of the 'Amber Alert' for viruses instead of lost children.
I hope it works!
Creationists are a lot like zombies. Slow, but powerful and numerous. And they all want to eat our brains.
It's YAOW (Outlook Worm). Same drill, you open an infected attachment, it copies itself to the address book as well as installs its payload.
Dammit, when are worms going to get interesting again? This "exploit the hell out of Outlook" routine is getting old.
There is no reasonable defense against an idiot with an agenda
:wq
can somebody recommend a good free antivirus for Win machines?
:-/
if there is such thing...
Mainstream media seems to report that the virus comes out of Outlook attachments ONLY, which shows how ignorance can be dangerous if this worm is effectively spread through filesharing networks...
The ENIAC Demo Competition
Problem Exists Between Chair And Keyboard. To the very best of my knowledge I haven't been infected by any virus or trojan since the early 90s when I didn't have Internet access and fast virus updates.
But even running around nekkid, I don't think I'd have caught more than a handful of viruses to begin with. Why the hell is it that people open up all the crap executable stuff they get? I think the best hope is a new generation that has grown up with SPAM, viruses etc. and don't fall for that kind of bullshit. Teaching old dogs new tricks doesn't work, but they will die eventually...
Kjella
Live today, because you never know what tomorrow brings
"task force"
Heh
Are there any programs that allow processes to be "locked on"? It would be useful to restrict attempts to kill certain processes, to people that can provide the root password.
There are probably heaps of this kind of thing, and another layer of security is always welcome.
cheap web site hosting from 3 semi-mongrels a month
Through outlook, and by the user downloading warez from Kazaa.
See this f-secure article
Become a contributor, everyone. Submit a garrulous diatribe to Slashdot and request several instances of their website!
Do you like German cars?
So, what did Microsoft do wrong that allowed this to happen? 200 words or less. 5 points off each for use of either "dancing monkeyboy" or "Borg".
some of the most organized and content-filled warez channels on the internet. It is THE place to go for that shite.
How do I know this?
erm...
Right.
And IRC would have died where it stood, full of elitist assholes and those with hacked clients lying about their OS.
Back before IRC was the 50,000+ user behemoth that it's become
/me refrains from Dr. Evil joke
There are way over one million IRC users today.
Can I use the cygwin version of BitchX?
You obviously chose to hang out on the wrong IRC servers.
So wait, when a website caters to only one browser, you bitch and moan, and get open source browsers that lie about what they are. Now, you demand that an entire operating system be cut off from IRC....what makes you think that the next day there won't be myriad IRC clients that can lie about their OS...?
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
Non-system disk or disk error
Replace disk and press any key when ready.
I was caught totally off guard on that one, but I don't think that it indicates a user = id10t problem on my part.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
don't you mean identd?
identd is a bit past its time since the explosion of unix boxen that are administered by the very same end users. The age of trust(how silly) in the admins who run servers is long over.
A radio maverick jumps to internet only. The Future of Rock n Roll
Go to any script kiddy channel, and see what they're running. It ain't windows.
Name some good H4X0R t00lZ for windows. Not so easy, is it?
All the portscanners, eggdrops, warbots, and other bullshit is linux based.
I guarantee the fellow/group behind fizzer connects with his linux box to control all of his 7337 bots.
The windows users are the leghumpers who keep asking you "a/s/l".
So why ban the victims? Ban the jerks.
You should really ban any scriptable client to 'save IRC'. There are enough stupid linux users to download "megascript for IRC-II" and have no idea what it's exposing to the mega h4x0rs of DALNet.
Your OSism is pretty much, like all prejudices, ignorant of the real issues. Just like the poor white hillbilly who thinks blacks are the cause of his problems, you sit pointing fingers at windows.
The thing to do is to simply realize that IRC is simply an insecure telnet hack. It always will be.
Recreate is based on ssh or something.
The windows users have all moved on to AIM and ICQ anyhow. IRC is old news.
I don't need no instructions to know how to rock!!!!
from symentac 'Keylogs all keystrokes to an encrypted file %windir%\iservc.klg.'
It stores encrypted data on your PC. You cannot use any method to decrypt this data to determine what keystrokes were collected and potentially transmitted.
Gotta love stupid laws.
comment directly in my journal
Didn't bitchx just have some nice vulnerability in their software :> Irssi on a shell would be my choise.
telax - Just another vim and c hacker.
Why hasn't Outlook been fixed yet? What happened to Microsoft's legendary quick fix responses to exploits?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
hmmmm....this virus only infects Win32 machines.
Maybe the author is just trying to bring Darwinism to IRC
I know if IRC was cleansed of all the l33t windows XP users who get online and talk about all the "problems" and "issues" with linux yet still use Internet Exploiter and Microsoft Craplook, I might not go on IRC so seldomly.
Maybe hes doing a service. Although when in a linux channel and one of these l33t people walk in and start talking about Linux I've always enjoyed telling them "dd if=/dev/urandom of=/dev/hda makes your hard drive go faster!" and then watch half the channel drop off.
Oh well, all anyone was ever doing on Dalnet was jerking off to porn anyways.
Windows, its whats for dinner!
And, once this story is published, we'll observe the various effects of futile desperation!
If you want your bots back, tell him to push something through windoze updater and make it fast. I hope you suffer the usual M$ delays. The IRC people will be happy if you can speed things up.
Friends don't help friends install M$ junk.
This is the dumbest, most wannabe "I use an alternative OS" post I have ever seen. What an idiotic, short sighted idea. Do you have some misguided notion that IRC was created for people running Linux or BSD? I myself use mIRC under wine, becase regardless of what know nothing wannabe elitists think of it, it is one of the best clients out there. So I'm running mIRC under Linux.. does that count in your stupid Windows ban? Hey, let's turn this around. Linux clients shouldn't be able to connect to Windows' servers. At least that would keep your dumbass off of slashdot, and half the internet.
Windows bashing is fine in my book, but making ridiculous suggestions is exactly that.. ridiculous.
Everyone is entitled to their own opinion. It's just that yours is stupid.
they sure did, and I hope they keep getting caught at it. The first time some senator or senators kid or wife gets nailed, you'll see them throttle back that crap, and pronto. Until then, you have to conisder that it's basically a war, and you won't get any help from joe bribed/blackmailed government.
And you think on that, who has buckets of actual cash for bribes,which industry is rife with illegal drugs to use, and who has access to a lot of starving actors and actresses and wannabes who might be persuaded to...how to put this delicately.. to "perform" on candid camera to get a video tape to use in "persuasion" to get a government official to see things a certain way?
"who profits?" apply it to crimes, 90% of the time you got your perp, pretty much a cut and dried formula. Not totally accurate, but dang good track record over the years.
An idiot responds to an idiot. The second idiot however, was a scared little bitch ass and posted as AC.
Everyone is entitled to their own opinion. It's just that yours is stupid.
From the f-secure article:
Uninstallation feature
The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:
Uninstall.pky
When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
An uninstall feature? How many viri typically come with that?
The entire idea of IRC is communications between individuals. Some is direct, some is centralised, that part doesn't matter. It's a P2P network, and one of the significant ways files get traded.
You obviously don't have a clue what a P2P network is. The most striking feature of a Peer to Peer network is its lack of a centralised server - you communicate with the network through a peer. IRC has centralised servers, and although it is possible to form a direct connection with another client, you cannot connect to the network _through_ them. IRC is *not* P2P.
== Jez ==
Do you miss Firefox? Try Pale Moon.
yes irc IS p2p - I hate morning Was hoping that slid by. What I meant (as opposed to what i said) was that we do our best to keep warez out. Not that its ever a perfect science, but if someone wanted to fight against warez it seems like they would be more selective in the server list. Hopefully I havent also posted this twice
I have seen the truth, and it makes no sense.
What are the right ones, then?
Don't forget to include an email client that does not run as root and does not execute stuff without asking the user! M$ thinks it so much more important to have email that "works" by blaring noises and flashing picutes at you. Even if these glaring problems could be fixed on Windoze, the lack of distinction you noticed still demands a complete GUI overhaul.
The last windoze box I looked at was extreemly confusing and had very poor demarcation of executables. Instead of having a the distinction built into the file system and respected by the kernel, windoze users must memorize extensions like exe, vb, scr and a host of other. Even if the user memorized all the extension names, the M$ interface hides the extension by default and only one mode of file repersentation, "detailed" displays the file type. Even if the user is clever enough to unclick the "hide estension" button, you can still be fooled by the display which is icons by default. Microsoft's mail client is worse. "ILoveYou.jpg_with_many_spaces_here.exe" shows up as "ILoveYou.jpg" in outlook's brain dead display of attachments as ichons with about 12 characters of text under them. We can hardly fault the user for wanting to look at a picture. The dilligent user must drag the picture to an open file broswer to see the file type. Most take the interface and the mail at face value and double click away, especially if the message came fron a trusted friend who was also infected.
One way of explaining this in non-technical language is: 'If I sent you a letter and it said "please jump off the nearest cliff" and you read it, would it do any harm to you? Why should the equivalent message sent to a computer be any different?'
A mail from a friend asking you to look at a picture can hardly be seen as them asking you t jump off a cliff. Most people would not even see the request as one to throw their computer off a cliff.
Friends don't help friends install M$ junk.
Anything that doesn't have EFNet, IRCNet or God forbid Dalnet in the name is a good start.
AVG is ok, it's not as good at detection and has a smaller list than the bigguns. I recommend f-prot for dos. it is *very* good. (obviously only works on win9x and earlier.
is to combine the RIAA technology with worm technology and devise a worm that will track down the sources of spam and erase them from the spammer's computer or crash his machine.
--yes, it's hard even from your net and op positions to keep warez and filez out, so look at it from the riaa, mpaa angle. to them, tryinmg to find and destroy every individual is a huge project, SO, maybe some mastermind there thought it would be easier to just trash irc in general. When the military does it, any innocents who get trashed are called 'collateral damage", and usually they don't care all that much, it's the spin doctor spokesweasels problems then. and with the nature of the attacks, they got layers if insulation for "plausible deniability", even though they announced "pro active" attacks, unless there's a smoking gun found, they can claim stoopid and innocent.
just a few thoughts. I like IRC, been using it since--forget now, 93 maybe? I claim zogheimers on that, heh. Not a lot but since then. Shame to see something so cool always struggling. It's always something.
Now, you demand that an entire operating system be cut off from IRC
No need to cut them off completely. What's clearly needed is some irc apartheid, where Macs can only talk to Macs, Linux boxes to their siblings, and Windows machines have to remain in their own Tribal Trustlands, far, far away from everyone else. Anyone found guilty of OS miscegenation will be publicly flogged and then outcast from their own OS community.
After ten years or so in this irc wilderness, songs will be written to Biko-like martyrs, people who had their computers thrown out of second-story windows by IRC netcops, and eventually a Microsoft-using Nelson Mandela figure will emerge and Windows will become cool for the first time ever.
--hey, go suck a rotten lemon. Ya you, talking to you, don't need your bogus technical skillz to define little miniscule picky points. You know exactly what I was saying, and so does everyone else here.. You are about as elite as roadkill, nimrod. It's close enough with the referenced topic to pass muste
Uhm, no. Just because you want to call a horse a car doesn't make it more of a car. Get over your ego, sparky. Just admit you don't know what the hell you are talking about and move on. The whole reason why I knew what you were attempting to say is because of the idiotic subject line (IRC is P2P) which is just plain wrong.
By you definition, kazaa wouldn't be a P2P, because it uses other peoples routers on the internet, you aren't telnetting between people individually.
Ok, I thought dpt was the biggest idiot on Slashdot but you are quickly outdoing him with this. Do you know the difference between packet routing and telnet?
Dacels Jewelers can't be trusted.
The blame is obvious because everyone told M$ not to make things like this before they did it.
Friends don't help friends install M$ junk.
They (Outlook and OE) have been fixed. They don't run scripts by default, and if a process does try to access the address book, you're prompted. The problem is apparently limited to morons who STILL say "sure, go ahead!" to every dialog box they see, or still have the original, nasty, unpatched versions on their machines.
Gamingmuseum.com: Give your 3D accelerator a rest.
Name some good H4X0R t00lZ for windows. Not so easy, is it? All the portscanners, eggdrops, warbots, and other bullshit is linux based.
;)
Nah, man, you just gotta if you know where to look for it. Some nice folk out there in the "H4X0R t00lZ" community stopped being *nix 1337ists and ported stuff over to Windows.
http://www.insecure.org/tools.html
Enjoy.
Let's get one thing straight: I'm not pointing shit at windows. What I am saying is that windows clients are far more likely to have the open exploits, such as outlook, such that linux script kiddies can use to turn them to zombie boxen.
I use windows, and I advocate the change of IRC to at least ban the majority of script-based clients. Regardless of my views however, they are a far distance from that of a white supremecist; if you want to be recognized as having valid opinions, I suggest you stop making such sensationalist comparisons.
Hah, this reminded me of the days of ircnews.com... when it was a BS news site like the onion because this /. post sounds like an IRCnews.com story. Now ircnews.com is actual IRC news...
- Danny
Ah! Why can't the M$ dummies do like every other reasonable OS and implement file permisions and owners within the file system? An email client that does not make attachmets executable by default serves the same purpose as burdening the user with associating a file type with a text editor. Double click on a file and you will get a dialog asking you what you want to use to open the file and if you want it to rmember the file type. It won't just run the script because it's not executable and won't be unless the mail client itself changes it, which is a lot of trouble to go through to duplicate a M$ brain dead thing.
Associating vbs with notepad goes a long way toward defeating the GUI, simply to overcome the faults of your mail client and file system. vbs is designed to be easy for the user to understand and create. Having to left click the darned things and click "run" rather than being able to drag and drop files onto it or double click it like a "real" program, is a real pain. Of course, the short commings still exist with the exe files and all the problems in file representation and permissions will get you there and can't be defended against with the silly notepad hack.
Friends don't help friends install M$ junk.
This worm was hitting us badly. I personally spent at least six or seven hours slamming the fuck out of the clients (they connect with a very distinctive hostmask/realname/nick) since they started hitting us on Sunday, and we have ~1500 akills for distinctive IP's set up now.
As you may imagine, manual akills just wasn't cutting it after a while. We all have actual jobs, and sitting on IRC whamming worms is something we don't get paid for. We've fixed our problem with a small Perl script one of our server admins wrote. I don't have the link where he placed it online right now, but I'm sure he'd be okay with sharing if anyone's interested. At the very least, it'll give you some heuristics to work from (the fundamental pattern is a nick with one, two, or three numbers on the end, a real name consisting of two capitalized words, and an identd response made of those two words reversed and conglomerated).
If there's any other admins of networks out there, pop onto irc.kdfs.net and join #helpdesk. Mention that you're looking for Puffy (me) or Danzak (script writer) and you're interested in our virus client killing bot.
No false positives so far. :)
It's not even close to the same. Only AOL users would think so.
Gotta love stupid laws.
Don't worry, the DMCA only applies to circumvention of encryption used to protect huge, rich, multinational coporations and other people trying to make a buck. I doubt anyone would care if you cirumvented encryption to recover your or other people's keystrokes. Britiany Spears's recorded music is protected. Her email, medical records and what not are owned by TIAA and whoever can make a buck selling them. Pluto-crats ain't stoopid.
Avoid these problems and use free software instead. Give the man the finger before he decides that you can't.
Friends don't help friends install M$ junk.
IRC might be a client/server network, but DCC is strictly peer to peer. In DCC you create a direct connection between your IP address and the person who you are exchanging information with's IP address. IRC facilitates finding someone to do a DCC connection with, but that's it.
Knowledge is power. Knowledge shared is power multiplied.
Just a pet peeve when people refer to it that way.., one is a client of many, the other is a network ( also many )...
And just sounds like people need to use some common sence, and update signatures.. None of these things should be a huge deal..
---- Booth was a patriot ----
Debian, it's like your first visit to the free clinic. Your privates are sore, you are angry with close frinds and you don't like what people at the clinic are telling you. You can leave and things will get worse or you can listen to good advice and not have to go back.
Friends don't help friends install M$ junk.
main page
Removal tool
Cleaned up my office yesterday very nicely.
For those unaware of what the Fizzer worm does and stuff. You can find most stuff here.
Gee, really going way out of your way to change the subject, huh? Wonder why that is? Got something to defend there? Chatting, irc, etc are way close enough to be referred to as a sort of P2P.
I can discuss with people, just don't "do" insults, which I certainbly didn't start,so if you or anyone else want to talk to me, do it without insults or get ignored from here on out. If you got proof of whomever is doing it, or a pet theory, why don't you discuss that instead? wouldn't that be more productive than arguing over picky word definitions that are arguably vague enough so that two different versions can be close enough to fit? OK, swell, irc chat is not pure P2P because it's not...whatever, it's something else, even though you can gather as a group, dcc between individuals, or whatever, because it's routed different or whatever. There, happy? Are you all glad now that you "win" some weird flame deal?
Take your winnings to the store, see what you can buy with it.
Have a good day, my handle is obvious,I use one handle on slashdot, don't reply to me anymore, I just don't like picky crap like this, it's a waste of time. If you can't figure out what my basic thoughts were, I;m sorry, they should have been taken just as a way to seque into the main idea, ie "warez and filez get traded there by people communicating with each other", ergo, it's a sort of P2P as opposed to a static http web page or ftp site people link to to download from. If that don't fit your picky detailed descriptions of what "P2P" is, frankly, I could care less. And last I knew, there isn't any official P2P overlord who has got the one and true legal definition of P2P anyplace, besides person 2 person or people 2 people. that could fit quite a lot of internet actions actually, BUT, we'll let uyou "win" that one, only the way you describe it is the one true "official" definition. All hail the official P2P uberdictator!
buzz off creepazoid, and you can have your "last word", go for it, have fun.
bzzzt
The distinction between P2P and not-P2P is "is there a distinction between servers and clients?". IRC has servers which manage connections and get communications from one user to another. Napster had servers which catalog everyone's mp3s and tells them where to find the mp3s they want. These are not P2P.
Kazaa has no servers in the actual implementation of the protocol. It does have default IPs to check to get into the network, but you could replace these with any IP you know to be running a client and it would work just as well. All communication (search queries) in kazaa is done from client to client, over however many clients is needed to reach the destination.
If I have been able to see further than others, it is because I bought a pair of binoculars.
Wouldn't you say that Microsoft OWES those people a complete revamp of Outlook? Microsoft should not be relying on the user to go to Windows Update and grab the file. They should be sending out free CDs like AOL does with new versions of Outlook and Outlook Express. They should also be making sure that the newer more secure versions run on everything from Win 3.1 and up. This is the only way that MS is ever going to stamp out the worm problem with Outlook. If someone is perfectly happy using Windows 3.1, 9x or NT4, WHY should they be forced to upgrade and pay more money to Microsoft to get a certain level of security. Microsoft should level the playing field and make sure that ALL versions of their OSes (via new service packs for old OSes), IE and Outlook/Outlook Express are secure. This would go a long way to improving customer relations, and solving the worm problem. I think it makes a lot of business sense because in reality, MS still makes more money from the Office products than they do the OS. Outlook should just be broken apart from Office anyway since it's more of a Network app than an Office app.Drop Outlook Express altogether. Then I think they may have something. Until then, this is STILL all Microsoft's fault.
Piss off, ya knob. get a life other than correcting shit that no one cares about. fucking loser
Hey! DALNet used to be my service of choice because they had a great selection of Sliders episodes, Enterprise episodes, Music Videos that don't suck (Clan of Xymox, Siouxieand the Banshees, Kenna, etc...) and some MST3K episodes to trade in some channels. Are you telling me there are other IRC servers out there that are better and can provide me with the same stuff? Cause I haven't found that to be true. C.T.
Gee, really going way out of your way to change the subject, huh? Wonder why that is? Got something to defend there? Chatting, irc, etc are way close enough to be referred to as a sort of P2P.
Change what subject? I'm responding to what you said.
I can discuss with people, just don't "do" insults, which I certainbly didn't start,so if you or anyone else want to talk to me, do it without insults or get ignored from here on out.
The original poster who corrected you didn't insult you at all. Go back and read it, I'll wait.
I just don't like picky crap like this, it's a waste of time. If you can't figure out what my basic thoughts were,
Lets just stick to the language we've all (except you) have agreed upon, ok? Stop inventing words, or misusing them and we'll be fine.
And last I knew, there isn't any official P2P overlord who has got the one and true legal definition of P2P
Well, I'll inform you that
there is.
BUT, we'll let uyou "win" that one, only the way you describe it is the one true "official" definition. All hail the official P2P uberdictator!
You are just making an ass out of yourself. Don't worry, I'm not going to stop you.
Dacels Jewelers can't be trusted.
I've never ran any sort of anti-virus... Ever. And I've never had a virus... ...that I noticed.
Just because you don't think you have a virus doesn't mean you don't have one that's good at hiding. Try loading an AV and seeing what it finds. It might do you some good.
Personally, I have an updated one that I keep disabled most of the time except when I get up and leave it on; then I tell it to scan. Hasn't turned up anything. Good sign...
Black holes are where the Matrix raised SIGFPE
The best part of it is that Outlook and Outlook Express demangles its own creation, so that the post is only broken in every other news client on earth, which leads to "dude, your client is broken", "looks fine to me" threads.
This is so true, I have been kicked off microsoft newsgroups before because half the posts were unreadable, And you get the same response...its fine on my screen.
What worse, is the next version Of outlook does MORE of this, they are adding in their own MIME encoding scheme. Wich will make the posts even worse
Its gotten to the point were i have a rule now in Kmail, and in pine, and mutt, and any other client i happen to be using (Thats righ, all you little windows kiddies reading this, i have 3 different mail clients, and since MY mail clients dont format my mail into a propetary format, i CAN use 3 different mail clients all with access to the same mail) wich syas
if "X-Mailer" contains "Microsoft Outlook " deliver "trash"
Cleans up my screen nice, i suggest you try the same, it saves on having to read a bunch of arrogant, "Your posts suck because they dont have a pretty html format" threads
I run a large dynamic dns provider and have had many many abuse reports lately of people using worms like this. Generally, they will register a host with ODS that is round-robin and points to multiple IRC servers which they point their drones at. The effect with these trojans are huge and I'm surprised they're not covered more. Ones like this one have been around for a while, and are generally used (after infection) for DDoS attacks. Many of these botnets (that I have seen anyway) exceed 10,000 infected clients (in one IRC channel). They place an enormous burden on the IRC Networks (that have to accept all of these clients, a lot of the time, all at once when the command is issued to change servers) and also are fairly visible from our DNS servers (some causing about 10 queries/sec alone to the DNS servers).
The point is that I've seen these botnets around for months and months now. Almost a year at this point with almost no coverage. I believe the days of smurf attacks are numbered, this is the new way to conduct DoS attacks. They're very effective as well, having seen the attacks targeting servers of mine.
(And it's not a matter of clueful versus neophyte users. My wife doesn't know a "C:" from a "/", but I managed to teach her how not to open a suspicious attachment in about ten minutes.)
The cake is a pie
I also think that posting how to crash the FIZZER's was posted along with what channels they were in. That's like saying, here you go... have fun, don't put anyone's eye out.
They are not trying to protect users from downloading infected files. That's impossible because of the way IRC/DCC works.
.scr, .com, .exe, .pif attached.
KaZaA has nothing to do with this, nor can their programmers add anything useful.
What they are attempting to do is shut down the nervous system of Fizzer. Fizzer uses IRC networks to communicate with it's "master" (for lack of better word). The infected machines sign on to random irc networks, and go to specific channels, awaiting orders. From that point they can be told to ping or flood, or dump their key logs...etc.
Also, this virus is spreading primarily through good old fashion e-mail. Same as a hundred other virus, it sends a familiar looking subject/body with a
-Malakai
-Malakai
A Dragon Lives in my Garage
Why again aren't people blocking .scr, .pif, .com and .exe files? I don't know about you, but at work, we block all of these files at the internet mail gateway. If you want to send us an exe, zip it first.
ones which aren't finished.
Last time I read anything, Outlook ran as "Admin". Looking through Google found me little more than a confused, propriatory mass of rights, permissions and predefined "users" such as contributor, author and what not. Somehow, I get the feeling that it's impossibly inconvinent to have your users anything but administrators in the windoze world. The unix and free software worlds make user management very easy and you have to go out of your way to do it wrong. It's built into the kernel and filesystem not tacked onto the GUI. Tell me that it's not so and that M$ has learned something and I'll be able to forget what I've read and what I just saw in 10 minutes of searching.
Friends don't help friends install M$ junk.
Yes, you've found another idiot. But, IRC is P2P in a certain sense. The IRC servers form a P2P network among themselves. And, DCC is definitely P2P.
Need a Python, C++, Unix, Linux develop
Although a little misguided, the poster above makes some good points. If I had mod points, I'd mod them up because some of this needs to be heard. Alas, I can only bring attention to this post with my mod bonus.
While I don't think Microsoft would EVER actually make any service packs for OSes they consider long since irrelevant, there are many users who still get what they need out of them. MS shouldn't ignore that since it's probably a good chunk of the machines that are getting hit with this kind of stuff.
Un-news
Windows still supports PIF files?!
True, but there was only one network then. Now, there are multiple networks, and the largest I think I've ever seen at any one time was 50-60,000 users online. Of course, probably more than half of those were bots or idle for weeks.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
ircd was written for Unix.
The original IRC clients were written for Unix, for VMS, and for emacs.
I wrote the first DOS based client. I regret that decision entirely, beacuse it led to the eventuality of the Windows client, and this led to exactly the same thing for IRC as what happened for the entire Internet when AOL users were given full Internet access.
Think about it.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
By using GECOS checking, (called something else in that bloatware called UnrealIRCd), people can deny connections from users using certain realname patterns. From what I have seen, Fizzer uses certain gecos information that can be used to identify itself.
Also, By ctcp pinging them, a lot of them will crash, from what I have heard. The website also states this.
nenolod, OpenIRC Network administrator.
Netscape was better than IE prior to the 3's. Version 3 was pretty equal on both and then IE blew Netscape away when it came to version 4. Netscape 4 was a blight on society with some of the worst standards support of any browser prior and since.
Check me on this: Didn't Microsoft start giving away IE BEFORE Netscape 4? If so:
Don't you think cutting off Netscape's revenue stream might have had something to do with the amount of Quality Assurance they could afford to do to their followon releases? In addition to pressuring them to release it early to try to get a little more cash in house before the dry up and blow away?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It has nothing to do with using an "alternative OS". Unix is the OS that most of the things on the Internet were created on. In one of my other replies in this same discussion, I posted my thoughts about that. Basically Windows clients are to IRC what AOL is to the Internet.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
You missed the hey day of IRC, then.
There was a time, mostly before but for a short time after the first Gulf War, where there were no IRC bots. There were no people sitting idle online for WEEKS at a time.
A time when Internet Relay Chat was used for CHAT.
NOW, it is all elitist assholes, bots, file traders, and stupid crap.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
Netscape was better than IE prior to the 3's. Version 3 was pretty equal on both and then IE blew Netscape away when it came to version 4. Netscape 4 was a blight on society with some of the worst standards support of any browser prior and since. Add to that the fact that it took a year and a day to load on the fastest machine and you have a good reason why it died.
Actually...IE 3 sucked majorly. At the time Netscape was far superior to IE, and was until Netscape 4, and Netscape didn't REALLY start to suck until 6. Netscape 4.72 wasn't that bad, it just wasn't as good as IE anymore.
NeoChichiri
http://www.neochichiri.net
Actually, it doesn't use the Windows address book. I know this because I (under firewalled, very controlled conditions) ran it to see how it worked. One thing I noticed is that it was sending e-mails out to addresses I did not know. That computer does not have an address book, nor any outlook express smtp/pop3 server settings (I never configured it).
Your test doesn't prove it DOESN'T use the address book. It only proves that it ALSO has canned addresses or can find or generate some in some other way.
To check whether it ALSO spreads via the address book, configure a few bogus addresses and try again, checking whether it emails to them.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
From my understanding at the symantec site, this lil file can get rid of it.
*********START FILE remove.bat*********
@echo off
cd \
cd %Windir%
echo . Uninstall.pky
echo Please wait 30 seconds
pause
if ProgOp.exe exists echo You didn't wait long enough.
*********END OF FILE remove.bat********
But, IRC is P2P in a certain sense. The IRC servers form a P2P network among themselves. And, DCC is definitely P2P.
The definition of peer 2 peer is that it is self-organizing, as well. That is the more current definition anyway. It also must not rely upon centralization nor upon "constant routes" (like IRC does)
DCC is not peer-to-peer because it isn't self-assembling, nor is it a many-to-many but a one-to-one connection. DCC is much closer to P2P than IRC is, however. Napster was the original work of a P2P application, but it was still a client/server model at the core. I'll agree you can build a P2P network on top of a client/server (IRC) network, but IRC is definitely not a P2P network.
Dacels Jewelers can't be trusted.
It's funny how the death of IRC has been talked about for years now. Yet IRC keeps growing. My server on Undernet (which was the largest for almost 4 years in a row) was removed due to ISP backing being removed -- yet if you read about it online, it's removal was attributed to DoS attacks. Much of IRC's background is clouded in myth or just outright lies. Check out http://searchirc.com -- IRC networks are MUCH bigger than they ever used to be, and there are much MORE IRC networks than ever before. SearchIRC currently has close to 700, and the list isn't close to being completed.
SearchIRC - Now with live chat directory!
Indeed, I did not. I assumed the Fizzer worm/virus/etc was attached to some packs that were being handed out via DCC. Thanks for that piece of info ... makes a lot of sense.
A.M.
Pimpin' all the Karma Hoes!
Yeah, and if we're lucky, we'll get a dupe! Then we can get 'em twice!
Why do most companies spend lots of money on virus scanners, but not on mailer software. If a virus/worm hits just one user in a company before the scanner is updated, the whole company gets infected in no-time.
If companies would trade Outlook Express for another lesser known mail client, for instance The Bat, 99% of modern 'viruses' would have no chance.
Well, at least until it becomes main stream, and viruses are developed for this client's address book.
.sig: No such file or directory
I did not realize that IRC could not auto-reconfigure its spanning trees. The algorithms for doing so aren't that hard. The Ethernet bridging spanning tree algorithm points the way. For maximum network efficiency, they should have a per-channel spanning tree that only encompasses nodes who have users on the channel.
Need a Python, C++, Unix, Linux develop
This affected my customer.
Although he has wonderful antivirus software (installed by yours-truly), he was receiving many e-mails from people he did, and didn't know, claiming that he had sent this virus to them. This worried him enough to have me come in and take a look. (costing him $$$)
'From-Field' forgery ought to be part of the process in e-mail anti-virus programs, shouldn't it? I can LOOK at the headers at know they are fake. Seems like a several hundred $$$ exchange-server AV program should be able to do the same. Spoofing the from field is nothing new.
Does that mean QNX RTOS, MS-DOS 1, MS-DOS 2, MS-DOS 3, MS-DOS 4, MS-DOS 5, MS-DOS 6, MS-DOS 6.1, IBMDOS, DRDOS, Windows CE, Windows 1.0, Windows 2.0, Windows 3.0, Windows 3.1, Windows 3.11 and beos is affected?
GAAH! MY PRINTER IS ON FIRE!!! PUT IT OUT! PUT IT OUT!
I haven't seen many other net admins post their experiences, so I'll give mine. We run DarkFire (which averages around 400-500 a night) and within about 2 hours our global client count tripled to about 1200.
;)
The bots tend to join "random" channels (not really random because ~40 or so will collect in each channel) and they sit there. Now get this.. they spit out random English/German gibberish. No joke. Things like "Money is a diabolical power" and "Religion is an oppressive force"; things of that nature. Some of it is in German also.
As an admin previously posted, they use random "real" sounding nicknames, usernames, etc. Their host addresses span across the world. At first, we had no idea what they were until one of our opers broke into one of the random Win2k servers the bot ran on and went through the registry and process list. From there, after some google search, we found out about Fizzer.
We let them collect for awhile to look for any threats they might pose. We also checked their reconnect delay. None; they don't reconnect to the same network. In other words, banning them is a waste of time. I try to avoid placing thousands of network bans, and in this case, it would certainly be wasteful. After a few masskills to wipe the channels clean most of the bots disappeared as quickly as they came. Now, on to my IRC rant. I've been waiting for a soapbox. If you're from DarkFire, get ready to cringe because you've heard this before..
IRC's future is one that a *BSD is Dying troll might say. Over the years networks have had to put up with an increasing thread of DDoS attacks that are provoked by the slightest change in breeze. DALnet went through hell and back; the aggregate bandwidth they had to absorb from the attacks is insane. IRC was turnd into a warez and botnet haven within a few years, and the future looks bleak.
Whenever I mention IRC to someone that's never really used it but keeps up with tech news almost always gets the impression that it's just a ubnch of warez and botnet networks. At one point when I was getting DoS'd, I spoke to someone at MFN to get a filter in place and he asked me if I had any idea why I was beign attacked. I mentioned that I run an IRC network and he immediately reminded me that it's a massive DDoS magnet. I had to agree.
I'm getting sick of the whole situation. About a month ago, we decided to shut off the network to public access and require registration with confirmation of a code being placed on an image (Yahoo reg style). The decision doesn't mean it was an overngiht process. We'll probably be done coding it in June, and that's when we'll go in.
We prove a public service, and we volunteer hours. That alone will not convince our upstream provider of why it's worth it for them to lose service along with us because of a DDoS that is almost always related to IRC. Over the years, we've tried in every way not to provoke attacks, and we've really only been hit about 5 or 6 times since we opened in April of '98. However, enough is enough. If someone doesn't want to take the 10 seconds to copy a code from an image on our webpage to verify registration, then they can find a different network to use.
Excuse the typos, I tend to typo more in rants
I did not realize that IRC could not auto-reconfigure its spanning trees. The algorithms for doing so aren't that hard. The Ethernet bridging spanning tree algorithm points the way. For maximum network efficiency, they should have a per-channel spanning tree that only encompasses nodes who have users on the channel.
It may have changed over time, but a few years ago it was "dumb networking." I'm pulling off of knowledge I acquired years and years ago though, and it's entirely possible I'm wrong about current architectures.
Dacels Jewelers can't be trusted.
You might very well be right. The bad behavior with regards to net splits and 'rehubbing' of many IRC networks indicates you probably are. I'm sort of surprised and a bit apalled.
Need a Python, C++, Unix, Linux develop
I didn't know that P. Diddy was on IRC.., No wonder J-Lo left you... Now I know... and knowing is half the battle...
But seriously.. every little bit helps in getting rid of this problem... maybe the real solution is not only to contain the problem but to "find" who created the problem... most of these people that code these things are somewhat vain and leave a calling card... Do we know who the author is? Why can't we find out?
Yep. That's why we'll be forcing registration and verification by this June. I'm sick of putting up with all of the shit you mentioned.
Gah. Dude, it gets a bit old. ;) The nick comes from the OpenBSD blowfish. I'm their resident BSD girl.
And I feel the need to go on the record as saying that Puff Daddy sucks and sucks hard, and not in the nice way, either.
As for finding out, I don't have a copy of the virus... only some of the clients. And I'm too busy akilling those to be interested in where it came from. Fact is, it's loose. And that's the most important thing.
I remember the good old days of IRC opering. It was the wild west, there were no rules back then. Or, well, there were, but I never followed them.
/killed them, they were all from random hosts. We couldn't figure it out. Someone had just parked a few hundred bots on our network for no apparant reason. IRC kiddies are sure some strange lot.
/msg'ed them. The text was encoded somehow, I never did figure out how. A mexican friend brought one of his friends into the channel once, though, and when I came back a few hours later, he had one of the bots talking. Problem was, they all encoded the text differently, so once he lost that one (when it disconnected and reconnected with a different name), he had to start over again.
I remember one time, we had a channel that filled itself up with gibberish bots, several hundred of them. All they did was sit there though. Didn't talk, not even to each other. Didn't join other channels. Rejoined if you
The one thing they did do is spit out text into channel if you
Anyway, the netadmin, myself, and every other competant oper sat around for a while, experimenting, trying to figure out what they were about, but in the end, we just gave up. We used services to rename some of them into furniture, and the opers used the rest for target practice (kill, masskill, whatever we could think of), and just sort of hung out in the channel until they dwindled off and stopped coming altogether.
Those really were good old days.
--Dan
It's all good :) as for finding the author... I simply put it this way... imagine what could be done if we knew who created it? If you knew the man that killed your dog what would you do? We still need solutions at a local level... but what happens when this same moron writes another one?
Probably a decent idea - the anonymity of IRC has really caused a lot of those issues.
As they say, Anonymity breeds Immaturity.
"Champagne for my real friends - and real pain for my sham friends!" http://ericblade.postalboard.com/
ie "warez and filez get traded there by people communicating with each other", ergo, it's a sort of P2P as opposed to a static http web
Um.... by the way in which you define P2P being a way to swap 'warez' websites (hyper-text and other sorts of script-based programs) should qualify as well. I mean, someone had to put the files onto the website server to begin with. Hey, I've got an idea... The Phone Company is a Warez hub... Anyways, the reason that we have various words in any given language is because no two of them say the exact same thing, some are very close, but even in English each word is unique; if you would like to make a point in the future, I suggest that you take the time to think of the best possible, and most efficient, way to communicate it so that a greater number of people would be better able to appreciate what it is that you have to say.
"It's the Law of the Universe, and I'm the sheriff." Slash-cott 2/10-2/17
Your email proves you are a zealot. accept that microsoft is the best. linux is fun, but that is it.
It is just like installing a Linux emulator on windows... wait that is a good idea!! My soundcard will work! X will run faster!
Now, that was funny!
Why the heck is Windows address book still accessable through scripting. You would think those clowns over in Redmond would get the picture. STOP ALOWING STUPID NON USER INTIATED SCRIPTS FROM ACCESSING MY ADDRESS BOOK! I have read the worm description and find that one of it's key components is the use of MS Address book entries. I just guess if they do ever block non user intiated access to address lists then Symantec etc will go out of buisiness! What a pile of crap. Why can I not have total control over the use of my own computer. Like those lucky Linux geeks.
OH THE SHAME I fell off the wagon and use sigs again!
I am bot. No kill bot Fizzle I .....please, I children feed...... PLEASE
OH THE SHAME I fell off the wagon and use sigs again!
Thanks, radish, that's the funniest thing I've read all week, I'm still chuckling and its 20 minutes since I read your post...
I even had my roommates come over to look, they all got a good laugh too...
Keep up the sarcasm!
-- I'm not ignoring you, I'm prioritizing you.
Cogito cogito, ergo cogito sum, cogito.
So were Napster transfers, but no one's calling Napster a true P2P system.
My god! WinXP is full of holes!
Linux is teh r0x0rz!
EFnet currently:
[17:37] There are 4759 users and 116658 invisible on 53 servers
[17:37] 391 IRC Operators online
[17:37] 44642 channels formed
[17:37] I have 1672 clients and 1 servers
[17:37] Current local users: 1672 Max: 1989
[17:37] Current global users: 121417 Max: 136515
[17:37] Highest connection count: 1990 (1989 clients) (143647 connections received)
I did not realize that IRC could not auto-reconfigure its spanning trees. The algorithms for doing so aren't that hard. The Ethernet bridging spanning tree algorithm points the way. For maximum network efficiency, they should have a per-channel spanning tree that only encompasses nodes who have users on the channel.
Damn, where were you 13 years or so ago, the last time there was any real attempt to "fix" IRC?
Given the problems and discussions I was witness to back then I'm supprised IRC has managed to creak along with band-aids and patches until now.
Then again the code and protocol may be doing something like this now, it's been a while since I looked at either.
Happy Fun Ball is for external use only.
I was writing a b-tree based database library in C. :-)
I didn't know much about networking then, though I was also writing a distributed mandlebrot set generator in C++. :-)
Need a Python, C++, Unix, Linux develop
I never stated that it only affects Windows using the address book. I said it only operates on Windows (true). I also said that it uses Windows Address Book (according to the AV company reports, also true). I then pointed out that it also uses Kazaa. The AV company reports didn't mention that it also makes it's own addresses at the time of my initial post.