Slashdot Mirror
IRC Networks Unite in Fight Against Fizzer Worm
Dave writes "Over the past few days, IRC Networks across the internet have felt the brunt of the Fizzer worm. In an unusual display of geek solidarity, representatives from dozens of IRC Networks, including EFNet, IRCNet and DALnet, have gathered to create a Fizzer Task Force. Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds."
--anyone else get the impression this is a pro active anti "piracy" move by the music and movie monopolists? That's what I thought of when I first read about this a couple of days ago. Looks like an attempt to shutdown channels of P2P-ish nets.
Anyway, that's how I think with crimes, use flatfoot 101, "who profits?".
Are there any programs that allow processes to be "locked on"? It would be useful to restrict attempts to kill certain processes, to people that can provide the root password.
There are probably heaps of this kind of thing, and another layer of security is always welcome.
cheap web site hosting from 3 semi-mongrels a month
As it stands right now, the worm was poorly coded or released into public early. The IRC client is pretty much useless - it doesnt have any commands and you can't do anything with it.
Before we decided to actively get rid of them, we were attempting to see if we could do anything useful with them.
Eventually we had more bots than real users on the network (we're only small, so about 700 bots). With the Unreal fizzer-blocking module, we're close to having set around 10,000 local zlines.
Hopefully the admins on each network will notice them, and stop them being used for anything. After that, finding a way to remove the virus is less critical (if it becomes mostly useless).
parksie, ZiRC.
I just idle in some rooms where i know the people. only file sharing i've done is to send a pic or two
As for KaZaA, i'm just not using it at all. I haven't heard how well Norton or McAfee protects against Fizzer over different media yet, so i'm just gonna lay low for a while. I suspect that many others will too.
This brings up another interesting idea. RIAA/MPAA designing virii to attack P2P networked computers (maybe with keywords like 'Usher' in their music files?). HIGHLY illegal, but what do they care?
I wish more people would emphasize this. If the worm author had spent a little more time in ironing out the incomplete features and bugs, this would have been one killer of a worm.
Add the missing features, remove that bug that makes it easy(ish) to identify programmatically on IRC, voilá, killerworm of doom.
The real question is, how long before someone actually does this, creates a better worm?
Whoever created Fizzer was on the right track by adding AIM capability (according to f-secure), does AOL have any experience in compating trojan hacker communication through their systems? I bet not. Just imagine what the author could do with a few hundred thousand of these babies, it would make the slashdot effect pale in comparison!
We are sitting on a ticking time-bomb.. it's just a matter of time..
Non-system disk or disk error
Replace disk and press any key when ready.
I was caught totally off guard on that one, but I don't think that it indicates a user = id10t problem on my part.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
Go to any script kiddy channel, and see what they're running. It ain't windows.
Name some good H4X0R t00lZ for windows. Not so easy, is it?
All the portscanners, eggdrops, warbots, and other bullshit is linux based.
I guarantee the fellow/group behind fizzer connects with his linux box to control all of his 7337 bots.
The windows users are the leghumpers who keep asking you "a/s/l".
So why ban the victims? Ban the jerks.
You should really ban any scriptable client to 'save IRC'. There are enough stupid linux users to download "megascript for IRC-II" and have no idea what it's exposing to the mega h4x0rs of DALNet.
Your OSism is pretty much, like all prejudices, ignorant of the real issues. Just like the poor white hillbilly who thinks blacks are the cause of his problems, you sit pointing fingers at windows.
The thing to do is to simply realize that IRC is simply an insecure telnet hack. It always will be.
Recreate is based on ssh or something.
The windows users have all moved on to AIM and ICQ anyhow. IRC is old news.
I don't need no instructions to know how to rock!!!!
AOL has 'rooms'. IRC has channels.
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
As much as I enjoy your post, I don't think it's accurate. You would be the copyright holder of the keystrokes it is writeing. Therefore you can decrypt the file with the authority of the copyright holder.
I hope noone takes this as a defense of the DMCA, it is an evil law. The DMCA makes it a crime to sit motionless and think certain thoughts. I really wish it would get struck down as unconstitutional already.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
This worm was hitting us badly. I personally spent at least six or seven hours slamming the fuck out of the clients (they connect with a very distinctive hostmask/realname/nick) since they started hitting us on Sunday, and we have ~1500 akills for distinctive IP's set up now.
As you may imagine, manual akills just wasn't cutting it after a while. We all have actual jobs, and sitting on IRC whamming worms is something we don't get paid for. We've fixed our problem with a small Perl script one of our server admins wrote. I don't have the link where he placed it online right now, but I'm sure he'd be okay with sharing if anyone's interested. At the very least, it'll give you some heuristics to work from (the fundamental pattern is a nick with one, two, or three numbers on the end, a real name consisting of two capitalized words, and an identd response made of those two words reversed and conglomerated).
If there's any other admins of networks out there, pop onto irc.kdfs.net and join #helpdesk. Mention that you're looking for Puffy (me) or Danzak (script writer) and you're interested in our virus client killing bot.
No false positives so far. :)
Actually, it doesn't use the Windows address book. I know this because I (under firewalled, very controlled conditions) ran it to see how it worked. One thing I noticed is that it was sending e-mails out to addresses I did not know. That computer does not have an address book, nor any outlook express smtp/pop3 server settings (I never configured it).
Though the track record of OE and its address book is pretty bad, it isn't always to blame.
I run a large dynamic dns provider and have had many many abuse reports lately of people using worms like this. Generally, they will register a host with ODS that is round-robin and points to multiple IRC servers which they point their drones at. The effect with these trojans are huge and I'm surprised they're not covered more. Ones like this one have been around for a while, and are generally used (after infection) for DDoS attacks. Many of these botnets (that I have seen anyway) exceed 10,000 infected clients (in one IRC channel). They place an enormous burden on the IRC Networks (that have to accept all of these clients, a lot of the time, all at once when the command is issued to change servers) and also are fairly visible from our DNS servers (some causing about 10 queries/sec alone to the DNS servers).
The point is that I've seen these botnets around for months and months now. Almost a year at this point with almost no coverage. I believe the days of smurf attacks are numbered, this is the new way to conduct DoS attacks. They're very effective as well, having seen the attacks targeting servers of mine.