Slashdot Mirror

← Back to Stories (view on slashdot.org)

IRC Networks Unite in Fight Against Fizzer Worm

Posted by michael on from the why-cliff-got-klined dept.

Dave writes "Over the past few days, IRC Networks across the internet have felt the brunt of the Fizzer worm. In an unusual display of geek solidarity, representatives from dozens of IRC Networks, including EFNet, IRCNet and DALnet, have gathered to create a Fizzer Task Force. Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds."

36 of 314 comments (clear)

  1. The battle has ended. You've got worms! by Scoria · · Score: 3, Funny

    IRC Networks across the internet have felt the brunt of the Fizzer worm.

    Now, miniscule web servers, you will feel the brunt of the Slashdot behemoth!

    Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds.

    And, once this story is published, we'll observe the various effects of futile desperation!

    --
    Do you like German cars?
  2. As Well They Should ... by AlabamaMike · · Score: 5, Insightful

    Not to point fingers, but as we all know IRC networks are a major conduit for the distribution of warez. I'm not living in a glass house here, so I'll admit that I've gotten viruses from "packs" downloaded through IRC networks. It's good to see that these guys are coming together and helping to stem the spread of this virus. Unfortunately, I've heard nothing from the KaZaA guys in this line, and they are probably much worse than the IRC people (all their clients are Windows platforms, most of their users are completely clueless, etc.) It takes some skills (not much, but some) to get stuff off IRC. Any jackass can download from KaZaA. That's where the real work needs to be done in order to stop this virus cold.
    -A.M.

    --
    Pimpin' all the Karma Hoes!
    1. Re:As Well They Should ... by DNS-and-BIND · · Score: 5, Funny

      We really need to shut down USENET as well, as it's a major conduit for the distribution of warez. FTP is also a big problem. The world wide web is a major, major conduit for the distribution of warez. And don't even talk to me about filesharing networks...all major conduits for the distribution of warez.

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    2. Re:As Well They Should ... by slug359 · · Score: 3, Informative

      QuakeNet probably won't get targeted as they have a highly active anti-worm/trojan squad equipped with a trojan scanner (my work) and other services which hunt the network for flood clones/trojans/illegal botnets automatically.

    3. Re:As Well They Should ... by Anonymous Coward · · Score: 3, Funny

      I haven't seen the statistics, but I believe CAT5 ethernet cable is one of the worst piracy tools every made by man. NO copyright protection technology, NO logging or audit trail, and all those wires (both of them) makes it hard for law enforcement to tap.

      I suggest an immediate ban, and the sending of threatining letters to all CAT5 owners.

    4. Re:As Well They Should ... by Richy_T · · Score: 3, Funny
      ME TOO!

      Rich

  3. Yeah! by Farley+Mullet · · Score: 3, Funny

    Let's help these guys out by /.'ing their co-ordinating page!

  4. *Ahem* by guacamolefoo · · Score: 5, Funny

    From Symantec:

    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    Heh. Clearly the work of an evil genius.

    GF.

    --
    Lots of petrified grits
    1. Re:*Ahem* by Anonymous Coward · · Score: 3, Funny

      Systems Not Affected: Macintosh, OS/2, UNIX, Linux

      I guess that means BeOS is at risk? Oh no!

    2. Re:*Ahem* by fred666 · · Score: 4, Informative

      *NIX/Linux systems can be at risk if you're using a misconfigured wine.

      Seriously, wine is getting better every month and can run a wider lot of window$ software, it is not surprising that it will (could?) run windows worms/viruses (which are software written by human after all) and put our supposed-virus-free-OS [insert your preferred flavour of unix here] at the same level of risk than windoze users.

      Please think about it if you install such a software...

  5. possible perps by zogger · · Score: 3, Interesting

    --anyone else get the impression this is a pro active anti "piracy" move by the music and movie monopolists? That's what I thought of when I first read about this a couple of days ago. Looks like an attempt to shutdown channels of P2P-ish nets.

    Anyway, that's how I think with crimes, use flatfoot 101, "who profits?".

    1. Re:possible perps by fafaforza · · Score: 3, Insightful

      Who knows. One thing is for sure though: by publicising their intentions of sabotaging files on Kazaa and distributing viruses, they opened themselves up to such speculation.

  6. Re:method by Lxy · · Score: 4, Funny

    It's YAOW (Outlook Worm). Same drill, you open an infected attachment, it copies itself to the address book as well as installs its payload.

    Dammit, when are worms going to get interesting again? This "exploit the hell out of Outlook" routine is getting old.

    --

    There is no reasonable defense against an idiot with an agenda
    :wq
  7. PEBCAK by Kjella · · Score: 5, Insightful

    Problem Exists Between Chair And Keyboard. To the very best of my knowledge I haven't been infected by any virus or trojan since the early 90s when I didn't have Internet access and fast virus updates.

    But even running around nekkid, I don't think I'd have caught more than a handful of viruses to begin with. Why the hell is it that people open up all the crap executable stuff they get? I think the best hope is a new generation that has grown up with SPAM, viruses etc. and don't fall for that kind of bullshit. Teaching old dogs new tricks doesn't work, but they will die eventually...

    Kjella

    --
    Live today, because you never know what tomorrow brings
    1. Re:PEBCAK by Ed+Avis · · Score: 5, Insightful

      The best hope is a user interface that clearly distinguishes between *running a program* and *opening a document*. Windows over the years has deliberately blurred this - even in Win3.x Program Manager the command to run an application was called 'Open'. Cute, but it doesn't help people learn the difference between documents, which are just data that can be viewed, and programs, which are instructions for your machine to perform.

      You may object that things like Word macros (and their associated viruses) blur the line between files and executables. But that is another instance of the same problem: 'opening' such a document should be split into the two questions it implies: do you want to *view* the file contents? do you want to *execute* the instructions in the file?

      If user interfaces and especially mail clients bothered to present this distinction to the user then a lot of the worm problems would go away. Some people would still have virus checkers, mostly companies who don't trust their employees not to execute dancing_elephants.exe. But even in those cases, it would be simple to lock down mail clients to not allow execution, as long as they bother to make a clear distinction between viewing and executing to start with. (And as long as the applications they launch, such as Word, do the same.)

      One way of explaining this in non-technical language is: 'If I sent you a letter and it said "please jump off the nearest cliff" and you read it, would it do any harm to you? Why should the equivalent message sent to a computer be any different?'

      --
      -- Ed Avis ed@membled.com
    2. Re:PEBCAK by Ummagumma · · Score: 4, Insightful

      Replace the word 'computer' with the word 'automobile' in the following sentance:

      "Users should *not* have to be scared of using their computer. The computer should simply stop them from doing anything wrong."

      Now how do you feel about that?

      I'm not agreeing or disagreeing with you here - just food for though.

      --
      "The natural progress of things is for liberty to yield and government to gain ground." - Thomas Jefferson
  8. Re:death of irc? by NDPTAL85 · · Score: 3, Informative

    That note was from 2 years ago. Undernet is still going strong today and remains one of the largest IRC networks.

    --
    Mac OS X and Windows XP working side by side to fight back the night.
  9. Not your usual "task force" by mao+che+minh · · Score: 5, Funny
    No, there are no physically adept and good looking individuals complemeted with the obligatory "tough guy". No Tommy Lee Jones-like leader, bravely charging into danger. No electronics laden vans and phone taps. Just a bunch of pasty guys that are experts on Star Trek lore and like to debate the power of Perl.

    "task force"

    Heh

    1. Re:Not your usual "task force" by CharlieO · · Score: 4, Insightful

      Yeah but those pasty guys that are experts on Star Trek lore and know wierd backwaters of Perl can also remove your systems/isp/country from the net without breaking into a sweat.

      And trust me you can cause more pain to more people by dumping thier net connection than you ever could with a swat team.

      First there's the pain for lusers that find thier mail IM and file swappers don't work, then there's the pain in the call centre when harrased techs try to explain to consumers what's going on, then there's the pain felt by the BOFH's with management hovering over thier shoulder, then there is further pain caused by the many minor bumps and niggles and repeats as the systems cope (or not) with the backlog built up in the down time. And after all that, if it was a good one, there are the recriminations on support boards, the calls for compensation, customers leaving, no end of replanning from the management team.

      Ahhhh

      The beauty is that a good DDOS is a gift that just keeps on giving.

      Truly Cthulhu is amongst us :)

  10. Re:mIRC by shadowjk · · Score: 5, Informative

    This does not affect mIRC or any other IRC Client, at all.

    The fizzer worm that's currently spreading, spreads through outlook and Kazaa. It also has a IRC backdoor, through which presumably the virus author can access infected computers. This IRC backdoor connects to a list of several irc servers, and sit in a channel.

    As the number of infected computers (Please people, update your Anti Virus software!) is growing, this puts a higher load on the irc servers. This is what it's all about, to find a way to get rid of the trojans from the servers, so that nobody can abuse them for DDoS or looking for CC numbers or other private info on infected machines, in a way that doesn't put too much stress on the IRC servers.

  11. Missing from the discussion so far: by burgburgburg · · Score: 3, Insightful
    How exactly can we blame Microsoft for this? While we know that Fizzer only operates on the Windows platform and uses the Windows address book to mail itself, it also tries to use Kazaa to spread itself further.

    So, what did Microsoft do wrong that allowed this to happen? 200 words or less. 5 points off each for use of either "dancing monkeyboy" or "Borg".

    1. Re:Missing from the discussion so far: by SailorFrag · · Score: 4, Interesting
      While we know that Fizzer only operates on the Windows platform and uses the Windows address book to mail itself, it also tries to use Kazaa to spread itself further.

      Actually, it doesn't use the Windows address book. I know this because I (under firewalled, very controlled conditions) ran it to see how it worked. One thing I noticed is that it was sending e-mails out to addresses I did not know. That computer does not have an address book, nor any outlook express smtp/pop3 server settings (I never configured it).

      Though the track record of OE and its address book is pretty bad, it isn't always to blame.
  12. Re:mIRC by alien88 · · Score: 4, Interesting

    As it stands right now, the worm was poorly coded or released into public early. The IRC client is pretty much useless - it doesnt have any commands and you can't do anything with it.

  13. Re:mIRC by parksie · · Score: 3, Interesting

    Before we decided to actively get rid of them, we were attempting to see if we could do anything useful with them.

    Eventually we had more bots than real users on the network (we're only small, so about 700 bots). With the Unreal fizzer-blocking module, we're close to having set around 10,000 local zlines.

    Hopefully the admins on each network will notice them, and stop them being used for anything. After that, finding a way to remove the virus is less critical (if it becomes mostly useless).

    parksie, ZiRC.

  14. Re:okay, time to update by ejaw5 · · Score: 4, Informative

    AVG AntiVirus Free Edition is available here: http://www.grisoft.com When I used to use windows, AVG was IMO the best antivirus out there in terms of speed and detection, compared to mcAfee and norton.

    --

    $cat /dev/random > Sig
  15. Re:mIRC by shadowjk · · Score: 3, Interesting

    I wish more people would emphasize this. If the worm author had spent a little more time in ironing out the incomplete features and bugs, this would have been one killer of a worm.

    Add the missing features, remove that bug that makes it easy(ish) to identify programmatically on IRC, voilá, killerworm of doom.

    The real question is, how long before someone actually does this, creates a better worm?

    Whoever created Fizzer was on the right track by adding AIM capability (according to f-secure), does AOL have any experience in compating trojan hacker communication through their systems? I bet not. Just imagine what the author could do with a few hundred thousand of these babies, it would make the slashdot effect pale in comparison!

    We are sitting on a ticking time-bomb.. it's just a matter of time..

  16. Re:mIRC by pecosdave · · Score: 4, Insightful

    I would say better products actually pre-exsisted all the examples. The difference it marketing, cost, and positioning. Mac OS and maybe the Amiga I would say were better than Windows and pre-dated it for the most part (yes I know how far back Win 1.1 went, but I mean when people actually cared it exsisted). Netscape was definately better than IE up until at least 4, I would argue 5. As for email, Eudoras not newcomer. People are lazy and/or uneducated for the most part. They had no desire to expand beyond what their computers came with or didn't know how. The way Windows had it integrated it certainly looked(s) like that was the proper/only way to do it. Bribing/strong arming the ISPs didn't hurt eaither.

    --
    The preceding post was not a Slashvertisement.
  17. Re:mIRC by bongoras · · Score: 5, Funny

    AH HA!

    That is compelling evidence, of course... the virus was written by Microsoft. Next week they plan to release Fizzer XP Service Pack 1 which will fix those issues.

  18. DMCA protects the virus data by emptybody · · Score: 3, Insightful

    from symentac 'Keylogs all keystrokes to an encrypted file %windir%\iservc.klg.'

    It stores encrypted data on your PC. You cannot use any method to decrypt this data to determine what keystrokes were collected and potentially transmitted.

    Gotta love stupid laws.

    --
    comment directly in my journal
    1. Re:DMCA protects the virus data by Alsee · · Score: 3, Interesting

      As much as I enjoy your post, I don't think it's accurate. You would be the copyright holder of the keystrokes it is writeing. Therefore you can decrypt the file with the authority of the copyright holder.

      I hope noone takes this as a defense of the DMCA, it is an evil law. The DMCA makes it a crime to sit motionless and think certain thoughts. I really wish it would get struck down as unconstitutional already.

      -

      --
      - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  19. Re:okay, time to update by Dioji · · Score: 3, Informative

    F-Prot is what I use, and the DOS version is free: www.f-secure.com

  20. I... by Telent · · Score: 3, Interesting
    ... am a technical administrator on a fairly small (100-200 users), Klingon-themed network that plays host to a fairly large Star Trek simming organization.

    This worm was hitting us badly. I personally spent at least six or seven hours slamming the fuck out of the clients (they connect with a very distinctive hostmask/realname/nick) since they started hitting us on Sunday, and we have ~1500 akills for distinctive IP's set up now.

    As you may imagine, manual akills just wasn't cutting it after a while. We all have actual jobs, and sitting on IRC whamming worms is something we don't get paid for. We've fixed our problem with a small Perl script one of our server admins wrote. I don't have the link where he placed it online right now, but I'm sure he'd be okay with sharing if anyone's interested. At the very least, it'll give you some heuristics to work from (the fundamental pattern is a nick with one, two, or three numbers on the end, a real name consisting of two capitalized words, and an identd response made of those two words reversed and conglomerated).

    If there's any other admins of networks out there, pop onto irc.kdfs.net and join #helpdesk. Mention that you're looking for Puffy (me) or Danzak (script writer) and you're interested in our virus client killing bot.

    No false positives so far. :)

  21. a free cure for the windows virus. by twitter · · Score: 3, Funny

    Debian, it's like your first visit to the free clinic. Your privates are sore, you are angry with close frinds and you don't like what people at the clinic are telling you. You can leave and things will get worse or you can listen to good advice and not have to go back.

    --

    Friends don't help friends install M$ junk.

  22. Info by Anonymous Coward · · Score: 4, Informative

    For those unaware of what the Fizzer worm does and stuff. You can find most stuff here.

  23. You've missed something - by moogla · · Score: 3, Insightful

    I've never ran any sort of anti-virus... Ever. And I've never had a virus... ...that I noticed.

    Just because you don't think you have a virus doesn't mean you don't have one that's good at hiding. Try loading an AV and seeing what it finds. It might do you some good.

    Personally, I have an updated one that I keep disabled most of the time except when I get up and leave it on; then I tell it to scan. Hasn't turned up anything. Good sign...

    --
    Black holes are where the Matrix raised SIGFPE
  24. Impact . . by geniusj · · Score: 3, Interesting

    I run a large dynamic dns provider and have had many many abuse reports lately of people using worms like this. Generally, they will register a host with ODS that is round-robin and points to multiple IRC servers which they point their drones at. The effect with these trojans are huge and I'm surprised they're not covered more. Ones like this one have been around for a while, and are generally used (after infection) for DDoS attacks. Many of these botnets (that I have seen anyway) exceed 10,000 infected clients (in one IRC channel). They place an enormous burden on the IRC Networks (that have to accept all of these clients, a lot of the time, all at once when the command is issued to change servers) and also are fairly visible from our DNS servers (some causing about 10 queries/sec alone to the DNS servers).

    The point is that I've seen these botnets around for months and months now. Almost a year at this point with almost no coverage. I believe the days of smurf attacks are numbered, this is the new way to conduct DoS attacks. They're very effective as well, having seen the attacks targeting servers of mine.