Slashdot Mirror
IRC Networks Unite in Fight Against Fizzer Worm
Dave writes "Over the past few days, IRC Networks across the internet have felt the brunt of the Fizzer worm. In an unusual display of geek solidarity, representatives from dozens of IRC Networks, including EFNet, IRCNet and DALnet, have gathered to create a Fizzer Task Force. Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds."
IRC Networks across the internet have felt the brunt of the Fizzer worm.
Now, miniscule web servers, you will feel the brunt of the Slashdot behemoth!
Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds.
And, once this story is published, we'll observe the various effects of futile desperation!
Do you like German cars?
Not to point fingers, but as we all know IRC networks are a major conduit for the distribution of warez. I'm not living in a glass house here, so I'll admit that I've gotten viruses from "packs" downloaded through IRC networks. It's good to see that these guys are coming together and helping to stem the spread of this virus. Unfortunately, I've heard nothing from the KaZaA guys in this line, and they are probably much worse than the IRC people (all their clients are Windows platforms, most of their users are completely clueless, etc.) It takes some skills (not much, but some) to get stuff off IRC. Any jackass can download from KaZaA. That's where the real work needs to be done in order to stop this virus cold.
-A.M.
Pimpin' all the Karma Hoes!
Let's help these guys out by /.'ing their co-ordinating page!
From Symantec:
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
Heh. Clearly the work of an evil genius.
GF.
Lots of petrified grits
--anyone else get the impression this is a pro active anti "piracy" move by the music and movie monopolists? That's what I thought of when I first read about this a couple of days ago. Looks like an attempt to shutdown channels of P2P-ish nets.
Anyway, that's how I think with crimes, use flatfoot 101, "who profits?".
They'll do that, just a soon as we convince them to stop using IE, Outlook, and/or Windows because supperior products exsist.
The preceding post was not a Slashvertisement.
It's YAOW (Outlook Worm). Same drill, you open an infected attachment, it copies itself to the address book as well as installs its payload.
Dammit, when are worms going to get interesting again? This "exploit the hell out of Outlook" routine is getting old.
There is no reasonable defense against an idiot with an agenda
:wq
Problem Exists Between Chair And Keyboard. To the very best of my knowledge I haven't been infected by any virus or trojan since the early 90s when I didn't have Internet access and fast virus updates.
But even running around nekkid, I don't think I'd have caught more than a handful of viruses to begin with. Why the hell is it that people open up all the crap executable stuff they get? I think the best hope is a new generation that has grown up with SPAM, viruses etc. and don't fall for that kind of bullshit. Teaching old dogs new tricks doesn't work, but they will die eventually...
Kjella
Live today, because you never know what tomorrow brings
That note was from 2 years ago. Undernet is still going strong today and remains one of the largest IRC networks.
Mac OS X and Windows XP working side by side to fight back the night.
"task force"
Heh
This does not affect mIRC or any other IRC Client, at all.
The fizzer worm that's currently spreading, spreads through outlook and Kazaa. It also has a IRC backdoor, through which presumably the virus author can access infected computers. This IRC backdoor connects to a list of several irc servers, and sit in a channel.
As the number of infected computers (Please people, update your Anti Virus software!) is growing, this puts a higher load on the irc servers. This is what it's all about, to find a way to get rid of the trojans from the servers, so that nobody can abuse them for DDoS or looking for CC numbers or other private info on infected machines, in a way that doesn't put too much stress on the IRC servers.
Are there any programs that allow processes to be "locked on"? It would be useful to restrict attempts to kill certain processes, to people that can provide the root password.
There are probably heaps of this kind of thing, and another layer of security is always welcome.
cheap web site hosting from 3 semi-mongrels a month
Through outlook, and by the user downloading warez from Kazaa.
See this f-secure article
So, what did Microsoft do wrong that allowed this to happen? 200 words or less. 5 points off each for use of either "dancing monkeyboy" or "Borg".
As it stands right now, the worm was poorly coded or released into public early. The IRC client is pretty much useless - it doesnt have any commands and you can't do anything with it.
Before we decided to actively get rid of them, we were attempting to see if we could do anything useful with them.
Eventually we had more bots than real users on the network (we're only small, so about 700 bots). With the Unreal fizzer-blocking module, we're close to having set around 10,000 local zlines.
Hopefully the admins on each network will notice them, and stop them being used for anything. After that, finding a way to remove the virus is less critical (if it becomes mostly useless).
parksie, ZiRC.
AVG AntiVirus Free Edition is available here: http://www.grisoft.com When I used to use windows, AVG was IMO the best antivirus out there in terms of speed and detection, compared to mcAfee and norton.
$cat
I've been using AntiVir for a few months on W2K and 98SE machines. Seems to work pretty good.
AVG appears to be another free one but I have not tried it.
I was using an older version of NAV Corporate but it seemed too bloated for some of my slower machines. I've also used the scaled down version of Trendmicro that normally comes packaged with new motherboards, it is limited to 3 months of updates unless you pay for a subscription but the price is reasonable if you want to keep using it.
Bad boys rape our young girls but Violet gives willingly.
I wish more people would emphasize this. If the worm author had spent a little more time in ironing out the incomplete features and bugs, this would have been one killer of a worm.
Add the missing features, remove that bug that makes it easy(ish) to identify programmatically on IRC, voilá, killerworm of doom.
The real question is, how long before someone actually does this, creates a better worm?
Whoever created Fizzer was on the right track by adding AIM capability (according to f-secure), does AOL have any experience in compating trojan hacker communication through their systems? I bet not. Just imagine what the author could do with a few hundred thousand of these babies, it would make the slashdot effect pale in comparison!
We are sitting on a ticking time-bomb.. it's just a matter of time..
I would say better products actually pre-exsisted all the examples. The difference it marketing, cost, and positioning. Mac OS and maybe the Amiga I would say were better than Windows and pre-dated it for the most part (yes I know how far back Win 1.1 went, but I mean when people actually cared it exsisted). Netscape was definately better than IE up until at least 4, I would argue 5. As for email, Eudoras not newcomer. People are lazy and/or uneducated for the most part. They had no desire to expand beyond what their computers came with or didn't know how. The way Windows had it integrated it certainly looked(s) like that was the proper/only way to do it. Bribing/strong arming the ISPs didn't hurt eaither.
The preceding post was not a Slashvertisement.
Non-system disk or disk error
Replace disk and press any key when ready.
I was caught totally off guard on that one, but I don't think that it indicates a user = id10t problem on my part.
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
AH HA!
That is compelling evidence, of course... the virus was written by Microsoft. Next week they plan to release Fizzer XP Service Pack 1 which will fix those issues.
Go to any script kiddy channel, and see what they're running. It ain't windows.
Name some good H4X0R t00lZ for windows. Not so easy, is it?
All the portscanners, eggdrops, warbots, and other bullshit is linux based.
I guarantee the fellow/group behind fizzer connects with his linux box to control all of his 7337 bots.
The windows users are the leghumpers who keep asking you "a/s/l".
So why ban the victims? Ban the jerks.
You should really ban any scriptable client to 'save IRC'. There are enough stupid linux users to download "megascript for IRC-II" and have no idea what it's exposing to the mega h4x0rs of DALNet.
Your OSism is pretty much, like all prejudices, ignorant of the real issues. Just like the poor white hillbilly who thinks blacks are the cause of his problems, you sit pointing fingers at windows.
The thing to do is to simply realize that IRC is simply an insecure telnet hack. It always will be.
Recreate is based on ssh or something.
The windows users have all moved on to AIM and ICQ anyhow. IRC is old news.
I don't need no instructions to know how to rock!!!!
from symentac 'Keylogs all keystrokes to an encrypted file %windir%\iservc.klg.'
It stores encrypted data on your PC. You cannot use any method to decrypt this data to determine what keystrokes were collected and potentially transmitted.
Gotta love stupid laws.
comment directly in my journal
The entire idea of IRC is communications between individuals. Some is direct, some is centralised, that part doesn't matter. It's a P2P network, and one of the significant ways files get traded.
You obviously don't have a clue what a P2P network is. The most striking feature of a Peer to Peer network is its lack of a centralised server - you communicate with the network through a peer. IRC has centralised servers, and although it is possible to form a direct connection with another client, you cannot connect to the network _through_ them. IRC is *not* P2P.
== Jez ==
Do you miss Firefox? Try Pale Moon.
The actual effect on IRC is that the virus creates bots which then sit in IRC channels and listen for instructions. Server ops are getting several thousand of these, in some cases, draining server resources. It's a network problem, not a client one.
F-Prot is what I use, and the DOS version is free: www.f-secure.com
This worm was hitting us badly. I personally spent at least six or seven hours slamming the fuck out of the clients (they connect with a very distinctive hostmask/realname/nick) since they started hitting us on Sunday, and we have ~1500 akills for distinctive IP's set up now.
As you may imagine, manual akills just wasn't cutting it after a while. We all have actual jobs, and sitting on IRC whamming worms is something we don't get paid for. We've fixed our problem with a small Perl script one of our server admins wrote. I don't have the link where he placed it online right now, but I'm sure he'd be okay with sharing if anyone's interested. At the very least, it'll give you some heuristics to work from (the fundamental pattern is a nick with one, two, or three numbers on the end, a real name consisting of two capitalized words, and an identd response made of those two words reversed and conglomerated).
If there's any other admins of networks out there, pop onto irc.kdfs.net and join #helpdesk. Mention that you're looking for Puffy (me) or Danzak (script writer) and you're interested in our virus client killing bot.
No false positives so far. :)
If Windows came with a p2p application built into the OS, people would use that no matter how bad it was.
IRC might be a client/server network, but DCC is strictly peer to peer. In DCC you create a direct connection between your IP address and the person who you are exchanging information with's IP address. IRC facilitates finding someone to do a DCC connection with, but that's it.
Knowledge is power. Knowledge shared is power multiplied.
Just a pet peeve when people refer to it that way.., one is a client of many, the other is a network ( also many )...
And just sounds like people need to use some common sence, and update signatures.. None of these things should be a huge deal..
---- Booth was a patriot ----
Debian, it's like your first visit to the free clinic. Your privates are sore, you are angry with close frinds and you don't like what people at the clinic are telling you. You can leave and things will get worse or you can listen to good advice and not have to go back.
Friends don't help friends install M$ junk.
main page
Removal tool
Cleaned up my office yesterday very nicely.
For those unaware of what the Fizzer worm does and stuff. You can find most stuff here.
Gee, really going way out of your way to change the subject, huh? Wonder why that is? Got something to defend there? Chatting, irc, etc are way close enough to be referred to as a sort of P2P.
Change what subject? I'm responding to what you said.
I can discuss with people, just don't "do" insults, which I certainbly didn't start,so if you or anyone else want to talk to me, do it without insults or get ignored from here on out.
The original poster who corrected you didn't insult you at all. Go back and read it, I'll wait.
I just don't like picky crap like this, it's a waste of time. If you can't figure out what my basic thoughts were,
Lets just stick to the language we've all (except you) have agreed upon, ok? Stop inventing words, or misusing them and we'll be fine.
And last I knew, there isn't any official P2P overlord who has got the one and true legal definition of P2P
Well, I'll inform you that
there is.
BUT, we'll let uyou "win" that one, only the way you describe it is the one true "official" definition. All hail the official P2P uberdictator!
You are just making an ass out of yourself. Don't worry, I'm not going to stop you.
Dacels Jewelers can't be trusted.
I've never ran any sort of anti-virus... Ever. And I've never had a virus... ...that I noticed.
Just because you don't think you have a virus doesn't mean you don't have one that's good at hiding. Try loading an AV and seeing what it finds. It might do you some good.
Personally, I have an updated one that I keep disabled most of the time except when I get up and leave it on; then I tell it to scan. Hasn't turned up anything. Good sign...
Black holes are where the Matrix raised SIGFPE
I run a large dynamic dns provider and have had many many abuse reports lately of people using worms like this. Generally, they will register a host with ODS that is round-robin and points to multiple IRC servers which they point their drones at. The effect with these trojans are huge and I'm surprised they're not covered more. Ones like this one have been around for a while, and are generally used (after infection) for DDoS attacks. Many of these botnets (that I have seen anyway) exceed 10,000 infected clients (in one IRC channel). They place an enormous burden on the IRC Networks (that have to accept all of these clients, a lot of the time, all at once when the command is issued to change servers) and also are fairly visible from our DNS servers (some causing about 10 queries/sec alone to the DNS servers).
The point is that I've seen these botnets around for months and months now. Almost a year at this point with almost no coverage. I believe the days of smurf attacks are numbered, this is the new way to conduct DoS attacks. They're very effective as well, having seen the attacks targeting servers of mine.
Why can't the M$ dummies do like every other reasonable OS and implement file permisions and owners within the file system?
What are you talking about? Windows has far more fine-grained access control, permissioning and user management than Unix. I'm no MS fanboy but it's a simple fact - the Unix mechanism with chmod and chown is really crude by comparison (although it's tried & tested).
---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Netscape was better than IE prior to the 3's. Version 3 was pretty equal on both and then IE blew Netscape away when it came to version 4. Netscape 4 was a blight on society with some of the worst standards support of any browser prior and since.
Check me on this: Didn't Microsoft start giving away IE BEFORE Netscape 4? If so:
Don't you think cutting off Netscape's revenue stream might have had something to do with the amount of Quality Assurance they could afford to do to their followon releases? In addition to pressuring them to release it early to try to get a little more cash in house before the dry up and blow away?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way