Fizzer Worm Uninstalling Itself

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

Huh?

[keesh]

They're intentionally running code on peoples' machines without their permission?

Re:Huh?

[Washizu]

No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

Re:Huh?

[Solidblu]

They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.

Re:Huh?

[Albanach]

Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

Re:Huh?

[scalis]

Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!

Re:Huh?

[UnderAttack]

No. You are not running the code. The worm downloads
it from the site and runs it. You are just making the code available.

On the other hand, according to a more recent report, this method does not seem to work for far for the fizzler worm :-(

Re:Huh?

Pull, push, whatever. It's pretty obvious these people put code on a website knowing it would be run on people's computers without their permission. I agree it was done without mallace, but I wouldn't want to be the one liable for this.

Re:Huh?

[Ed+Avis]

It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.

Re:Huh?

As you state, it was done without lace from any mall. I believe it was also done without mallets, mallards, malaprops, and mallrats.

Re:Huh?

Oh, dear. I'd better check my copy of the Fizzer EULA immediately.

Re:Huh?

[WPIDalamar]

Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!

Of course, I'd love to see that author try to sue someone over it.

Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail.

Re:Huh?

You are uninformed, and so is everyone that modded this 'informative'.

Re:Huh?

[Anonym0us+Cow+Herd]

It would have been smarter for the worm to verify a signature on the code it downloads

Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

Finally, you had better not be shown to have the private key when the bad guys come knocking.

Re:Huh?

[Erasmus+Darwin]

"So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable."

Except that they went out of their way to delibrately place this executable where they knew an automated process (which was almost certainly installed without user consent) would execute it from. While I agree with the notion of trying to clean up the Fizzer worm, it's possible they may be going about in a way that's less than legal (despite a lack of harm being done).

Re:Huh?

[Chatterton]

Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail

Actually the cracker could not get 20 years in jail on this judgement. But, after this judgment we can then take another judgment against the cracker on the fact that he have claimend his partenity in the previous judgment :)

Re:Huh?

[secolactico]

Especially Freenet.

Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

This was the idea behind the Curious Yellow concept. It was featured on Slashdot a while ago.

Re:Huh?

[FroMan]

Seems to me a better solution would be to either have the machine alert the user that they have Fizzer and needs to do something about it. Uninstalling it without letting the user know they have it seems like a really bad plan.

I'd be like someone breaks into a car and I notice when they are done that doors are locked so I go lock the doors for them. Who is to say that the person who broke into the car didn't do something other than just take their tapes or something. It would be better for me to leave a note for the person that I saw someone breaking into the car.

Re:Huh?

"Except that they went out of their way to delibrately place this executable where they knew an automated process (which was almost certainly installed without user consent) would execute it from"

Sure. But there's nothing illegal or immoral about that.

Re:Huh?

[sTalking_Goat]

dude I'm going to put all these ideas in Fizzer the Twizzer, my shizzer.

Re:Huh?

Unfortunately, by the same argument...

the telnet daemon runs login, login runs a shell, and the shell executes the code.

Re:Huh?

[nocomment]

FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.

Re:Huh?

[facelessnumber]

Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"

...Would you click it?

Re:Huh?

[Tuna_Shooter]

I'm just wondering why someone doesnt release a "Fizzer" - "Code-Red" type of worm that will actually FIX some of Redmond's holes..... seems kinda logical dont ya think ???

Re:Huh?

[sjames]

It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.

That issue will be addressed as soon as palladium hardware becomes common and some MS app manages to run the worm's installer inside a text buffer somewhere. Naturally, job 1 will be to declare anti-virus software untrusted.

Re:Huh?

Actually, that's a neat idea. We'll probably see it implemented in Fizzer 2 in a couple of weeks.

Re:Huh?

This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?

Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.

Re:Huh?

or put the worm to their own uses. This is why it shouldn't have been done.

Re:Huh?

[Ed+Avis]

If it used IRC, which channel would it go to and how would it know which messages were code? Surely a particular IRC channel or particular IRC server can be taken down just like a web page. And who is going to put the code there in the first place?

Freenet makes more sense perhaps, provided that most Freenet users will be too lazy to reconfigure their software to stop distributing copies of the worm's code. (Perhaps the Freenet software deliberately lacks any option to be selective about what resources are forwarded to others - anyone knowledgeable about this stuff care to explain?)

Re:Huh?

[apdt]

Hmmm... yes, it seems as though this is opening a can of worms...


Sorry, I couldn't resist it.

Re:Huh?

[mbogosian]

Viruses should put EULA's on them!

By running or executing Fizzer software (the Software), the owner of the machine used to run or execute the Software (the User) implicitly agrees to these terms, which include, but are not limited to....

Re:Huh?

[Nightpaw]

How do you feel about fire trucks running red lights?

Re:Huh?

What ruins perfectly good points like this is that there actually are people out there who think that running red lights is *always* wrong, and at the same time, fire trucks should move as fast as possible.

Some people have no sense of internal consistency, and can be referred to as 'morons'. It's better not to talk to them.

Re:Huh?

[evilviper]

Even better, it should not go to a hardcoded URL.

Well, I think a LIST of URLs would be good... Maybe an e-mail address that automatically returns the code attached. Of course, you could just have the URL be on a server in China, and not likely law enforcement will care, unless you happen to be paying them even larger bribes...

The worm should download its code via. P2P

Great! Worm bloat! Now instead of 100K, it'll be several MB to accomodate the P2P client, and PGP software.

It'll eat-up bandwidth like mad searching the P2P network for updates, which might make it very easy to detect.

Re:Huh?

[jonfelder]

Then in the year 2021 the fizzer worm becomes self aware. When the humans attempt to shutdown freenet in order to stop it, fizzer launches the US nuclear arsonal at the other nuclear powers. Their automated systems instantly retaliate, effectively annhiliating almost all human life.

I expect to see naked androids with a human exoskeleton any day now.

Re:Huh?

[jshare]

Good lord man, your /. ID is lower than mine, and you still don't know what Freenet does?

Yes, Freenet "deliberately lacks any option to be selective about what resources are forwarded to others". Indeed, not only can't you control which resources, but you can't even tell which resources.

Re:Huh?

>Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

This reminds me of the trick that Motorola played on Xerox (see http://www.jargon.8hz.com/jargon_44.html#SEC51).

Now excuse me while I run off to patent "Method of Virus Removal".

--- Brian

Re:Huh?

[Erasmus+Darwin]

"How do you feel about fire trucks running red lights?"

That's a piss-poor analogy. A fire truck is being operated by people who have been trained and certified to use it in a manner contrary to regular traffic laws.

Re:Huh?

[Keebler71]

Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

Re:Huh?

[Nogami_Saeko]

And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

Let's try another analogy then:

Let's say that you are just an average person going in to get a flu-shot at the doctor.

The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

How do you feel?

Re:Huh?

[dhaines]

How do you feel?
Glad that I drink bottled water.

Re:Huh?

If a VIRUS uses a digital signature, then
it is time for the internet community to
devote all its resources to reversing the
key.

Re:Huh?

[Ed+Avis]

Hmm. But is this part of the Freenet client, or part of the protocol? If I felt like being antisocial, could I grab the Freenet client source and alter it so that only certain data was allowed to pass through my node (perhaps leeching as much as possible for myself but not giving anything back)? Or is the data always encrypted end-to-end somehow, so that the nodes in the middle are unaware of what they send and couldn't stop propagating the worm's code even if they wanted to? (Short of disconnecting from Freenet altogether.)

Re:Huh?

[gurumeditationerror]

Humans have endoskeletons (skeleton on the inside) if we had exoskeletons we'd have our bones on the outside with the muscles working inside, like a lobster.

Re:Huh?

[Chump1422]

I am a law student, and that post is missing some important facts. The police would have to have a warrant to search your HD, no matter if Zonelabs let them or not. As for the other two scenarios, they can happen right now. It's a matter of contract law and whether or not the EULA allows it and will stand up in court.

Be realistic. They're not hijacking your computer. They're removing a virus.

Don't rely on this advice, though. I am just a student.

Re:Huh?

[hayden]

But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography?

In which case you deserve to get caught. Having "Joe Sixpack" being considered the equivelent of "barely able to function in the modern society" is bad enough. If you are stupid enough to commit a crime while being that stupid then you should be put in jail for poluting the gene pool.

Unlawfully searching computers for child pornography is one thing. Getting infected with the windows virus of the week is another.

Re:Huh?

[Moonshadow]

No, they didn't. They loaded the worm into memory, then ran WinHex to discover the strings that the binary loaded. We -tried- cracking the binary, but it's PE compressed, which makes it a little harder to get in to. No reverse engineering took place.

Re:Huh?

Your analogy is flawed because every person depends on and must use the public water system. In this case only the infected would be affected.

Re:Huh?

Um, major false analogy. People who drink public water aren't necessarily infected.

This is basically the same as quarantining a town with SARS, and (assuming we had a perfect cure), giving everyone the vaccine. But in this case, we know damn well that everyone who is in the town (ie, accessing the website) is infected.

This is not evil, it's the obvious solution to a ridiculous problem. If the virus wasn't centrally controlled, perhaps I could understand the issue, but it's not. If it was decentralized, though, it could be potentially unexploitable (using RSA keys, etc to hide version information).

Re:Huh?

[jeremythehunt]

There's a big difference between companies putting backdoors in their products and a virus opening one up (you expect a company to treat you with a certain amount of respect being their customer and the virus you expect to screw you). Could this be used for harm? Well yeah that's what the virus coder was already intending. I don't think this is a huge issue since the infected machines are retrieving this file and it is only cleaning the virus, nothing else (or so I assume).

If they were actively probing for machines or collecting and data then they should be shot. Otherwise this is a good way to handle it. For those of us that run web servers you'll notice that Code Red is still alive and well. Something like this would have been great for cleaning that up.

Re:Huh?

[billatq]

No, they didn't. They loaded the worm into memory, then ran WinHex to discover the strings that the binary loaded. We -tried- cracking the binary, but it's PE compressed, which makes it a little harder to get in to. No reverse engineering took place.

So.. by the same token, does that mean that if you have say a DVD--for example--and it has copy protection on it, and you say..oh, yank the playing video stream from your memory that's already decrypted, then you aren't violating the DMCA and fair use prevails?

Re:Huh?

[Erasmus+Darwin]

"The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc."

You're using the same flawed analogy as the last person. In the Fizzer worm case, it's like some random person with medical training dumping the cure in the water. That's a much more questionable situation, and it'll be worse if there are unintended sideeffects caused by the cure.

Re:Huh?

[budgenator]

McAfee says...

If a file called UNINSTALL.PKY exists in %WINDIR%, the worm does not infected the machine. The content of this file does not matter.

also the worm listens on

IRC Bot
The worm pings many different IRC servers. When it receives a reply, it connects to a channel on that server using many different internal usernames, and waits for further instructions from an attacker. The list of IRC servers includes:

irc2p2pchat.net
irc.idigital-web.com
irc.cyber chat.org
irc.othernet.org
irc.beyondirc.net
irc .chatx.net
irc.cyberarmy.com
irc.gameslink.net
AOL Bot
The worm connects to an AIM site to register a new, randomly named, user (in a similar fashion to the AIM-Canbot trojan). It then connects to an AIM chat server on port 5190, joins a chat session, and listens for further instructions.
Self-updating
The worm connects to a geocities user page to download updates. However, at the time of this writing that user site did not exist. the cleaner is there

Keylogger
The worm captures typed keystrokes and stores them in a encrypted file named iservc.klg within the Windows directory.

KaZaa worm
The worm retrieves the default download directory for KaZaa from the registry and copies itself to that location using random filenames.

HTTP server
The worm runs an HTTP server on port 81. The webserver acts as a command-console, displaying information about the infected system (System time, connection information, OS version, IRC and AIM information). It also allows an attacker to kick-off certain functions, such as a Denial of Service attack, mail propagation, AOL/IRC bot commands, and anti-virus software termination).

Remote access server
The worm creates a remote access server by listening on ports 2018, 2019, 2020, and 2021.

I remeber durring the codered plague, I found a server log entry for an attacker calling itself codeBlue which supposededly attacks thru the same vulerability as codeRed, but removed codeRed and reapaired the vuleralbility. It was an IRIX server so I have no idea weather that's what it actualy did or not

Re:Huh?

[Moonshadow]

So.. by the same token, does that mean that if you have say a DVD--for example--and it has copy protection on it, and you say..oh, yank the playing video stream from your memory that's already decrypted, then you aren't violating the DMCA and fair use prevails?

Different arena. This isn't about circumvention of a copy-protection mechanism.

Re:Huh?

[steptoe6125]

Your analogy is flawed. Everybody has to drink the water, not just the people infected.

In the fizzer case only computers already infected by fizzer are going to download the 'fizzer-fixing' code.

Re:Huh?

[Xoder]

Except that the Fizzer worm was going to use that website to update itself regardless of what "the good guys" did. This is simply an update which negates the worm.
Yes, there are some issues about Geocities just giving out control over one of their members' accounts. Of course, he violated Geocities' good faith (and probably their TOS), and thus had the option of revoking his account. If it makes you feel any better, that's really what they did, revoked his account, and gave the "good guys" one with the identical URL.

Re:Huh?

[f0rt0r]

You mean IIS web servers, I don't know that any other web servers were infected. Apache definitely wasn't.

Re:Huh?

Oh, right, and even if everyone was infected you'd still want them dumping things into your water?

Myabe I should buy myself one of those brita filter things.

Re:Huh?

Why not?

If the fizzer creator encrypted (or whatever) the worm with the specific intention of preventing access to the code (or whatever ... I'm not a programmer) would it be illegal then?

Re:Huh?

MMmmmmm Human-Sized Lobster.

*Drool*

</Homer Simpson>

Re:Huh?

[Night0wl]

I have to agree with you, this is horrible running code on my machines.

How dare they uninstall my Fizzer! ...

I would've gone further and created an autoinstallng Free virus checker. If you're going to go for it, might as well go all out.

Re:Huh?

[MathewR]

It's part of the protocol. All data is end to end encrypted. Furthermore, if the worm was setup to use SSKs (signed subspace keys), it would be near imposible to forge them. If we wanted to build a system to block the keys from being retreived, we would be inviting others to use that system on blocking other undesirable content. It is not in the freenet project's interest to do such a thing.

Re:Huh?

That would be outragous! Nothing is 100% safe. I don't think that is a very good comparision to what is actually going on with Fizzer.

wtf?

[User+956]

Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

Re:wtf?

[SComps]

Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

Re:wtf?

[Loosewire]

i wouldnt have said so. most people wont know the worm is running and so will not know it has been removed. On the other hand someone who was running the worm to test (Av software for example) would know it auto updated itself and accept whatever updates it got from there

Re:wtf?

[BigBir3d]

2 wrongs != right

It is up to the user to fix this stuff, not some IRC dork that wants to prove his/her mad skillz to the world.

Re:wtf?

[insomnike]

Hey Scott!

Remember me? That's assuming you're the SComps I'm thinking of.

Aaron of t2.ph...

Re:wtf?

[thebigmacd]

They didn't hack the site okay? Geocities gave them control.

Re:wtf?

[kiwimate]

Being that these people are running code on their machine that they have no clue they're actually running...

Exactly. As opposed to Windows Update, which (coincidentally) was vilified just yesterday on these hallowed pages, and will prompt you to allow the update unless you've explicitly turned it off.

Oh wait...

Re:wtf?

[Kingsly]

Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.

From http://www.livejournal.com/users/kalyan/84241.html

Pretty Interesting because this site does not exist and the username was never created with Yahoo!.

Re:wtf?

[Urkki]

Common sense says, that the user (or a software on his computer) does everything. Having the file up in the net isn't illegal, especially if it is linked form a web page explaining what it is (that the worm code chooses to just download it, well, that's the problem of the worm code, isn't it). However, common sense doesn't have anything to do with suing somebody to get some cash off him, even if he actually did a favor for you...

Re:wtf?

[calethix]

" Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?"

I don't know why this is modded as flamebait. I think it's a perfectly valid question. Especially with all the people on slashdot that complain about Windows Update breaking more things than it fixes.

I agree that this now self worm is a good thing and I don't really know what exactly it does but what if there's some infected computer that the fix has an adverse effect on? Are they going to be liable for it?

Re:wtf?

[A55M0NKEY]

I haven't been able to use IRC for a long time now. I wish they'd put an executable on that web site that would delete the fizzer-user's hard drive so they learn a lesson about not letting themselves be host to a host of viruses.

Re:wtf?

[Pxtl]

Most annoyingly, will go ahead and make a specific update even if you've asked that update not to happen. I've a nice SBLive - the Microsoft system has terrible support for its special features, and allowing microsoft to install the drivers overrides the SBLive driver system.

I turned down the download when it asked. A month later the next update came and it was installed. Very frustrating.

Re:wtf?

[Smallpond]

Fizzer uninstaller:

format c:

I don't see any adverse effects.

Re:wtf?

[theLOUDroom]

Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.

Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

Think of it this way:

1. The remote computer goes: "What do I do?"
2. The server goes: "Well, since you're asking, I think you should do this."

There's no stolen password, and there's no exploit needed.

Here's another example:

I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.

IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?

Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.

Re:wtf?

[JohnFluxx]

Of course 2 wrongs can make a right.

Imagine you were in the bizarre situation where you had to shoot a terrorist to stop him from blowing up the entire world, killing everyone.

It is wrong to kill - but in this situation surely it would be right to.

Re:wtf?

[WPIDalamar]

That's not 2 wrongs. It's 1 wrong that avoids another.

2 Wrongs would be if the terrorist blew up the world, so then you kill him.

I guess 1 wrong can make a right!

Re:wtf?

It would be nice if the worm removal code emitted an obvious message to the system owner to let them know they have at least one problem.

Re:wtf?

[JohnFluxx]

That would make this case not two wrongs either. They make it uninstall (1 wrong) to stop the DDOS's (avoid another).

Re:wtf?

[Dr_Willie_Feelgood]

People who didn't allow their computers to become 0wnz0red in the first place won't have to worry about it; and frankly, people who did deserve any adverse effects that may occur

Wrong answer! Try again!

By your theory, anyone who forgets to lock the door to their house deserves to get robbed.

Re:wtf?

Does it have the adverse effect of leaving a system prone to reinfection by systems which have not updated themselves?

Re:wtf?

[PhxBlue]

And this makes it a wrong answer how, exactly? Just because they don't want to take responsibility for their own (in)action, they shouldn't have to? Nice try, but I don't buy it.

Re:wtf?

[gl4ss]

**Are owners of DDOS zombies held responsible for the damage their computers are doing?**

they can be, under most contracts with isp's you are responsible for the traffic even if you failed to know what there was.

anyways, what you are implying is that it's not illeagal/morally_wrong to be in control of a webpage that contains code that gets executed by some worm, and it's not illeagal/morally_wrong to use it for distributing code that gets run on machines. that's like it would be right for me to put up a webpage that contained malicious code that would make ie clients send me their password caches.. and then get 'somebody' to release a mail worm that would get people to visit it without their decision.

it's like microsoft having automated update without notifying the user at all(and not mentioning it anywhere, not even as a clause in the eula).

Re:wtf?

Where is the "IANAL"? You are not only obviously not a lawyer, you stand no chance of ever becoming one. What you're saying is complete and utter bullshit. This is not how the law works. You cannot piggy-back on someone else's crime. If someone breaks a door open, and you KNOW that the door is open because a criminal broke it open, then you ARE trespassing if you enter the door. If someone enters a needle into someone else's body without his permission he is committing a crime. If you put poison on that needle, YOU are going to jail, too. Likewise, if these guys installed a hard-disk erasing program, KNOWING that infected computers would download and run it without the user even being aware of it, it would be a crime. As I've said, you CANNOT piggy-back on someone else's crime, not if you know about the crime. That they are not installing a hard-disk eraser would only reduce the sentence, but does not change the fact that what they're doing is illegal. Someone might want to keep the worm for whatever reason (e.g. as proof of the infection in a lawsuit) or the uninstaller may be buggy. The article says the uninstaller creates a file. That file might overwrite something important or the creation of the file might trigger something. Good intention does not turn an illegal act into something legal.

Re:wtf?

[Xformer]

Not exactly.

Re:wtf?

[AceM2]

yeah yeah.. Try getting the insurance company to pay you when you forget to lock your car and have your stereo stolen..

Re:wtf?

[theLOUDroom]

First off, can we get some whitespace? Please?

Good intention does not turn an illegal act into something legal.

Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws for example. Go ahead, Control-F, type "intent".

Re:wtf?

[dnoyeb]

The accessed a webpage and altered its content. That page does not belong to them.

Unless Geocities had somethign in the *EULA* that allowed for third parties to take over web pages under special circumstances, that would constitute the 2nd wrong.

Re:wtf?

[Fulcrum+of+Evil]

It is wrong to kill

Obviously not. If someone is trying to kill me, I am well within my rights to kill him first. It is only murder that is wrong.

Re:wtf?

[something that happened to someone else] because they did [something i wouldn't do] they must deserve it [because they arent like me]

Re:wtf?

It's more like saying someone who forgot to lock their door deserves to have a friendly neighbour come over and lock it for you.

Re:wtf?

[Natty+P]

If you apply the actual circumstances to your example this would be like the thief that has already broken into your house calling the police to arrest him.

Re:wtf?

[BigBir3d]

I was referring to unrequested code being run on computers on my network. Fizzer_bad and Fizzer_good should not be there. And there is no verification that Fizzer_good is actually that. Sounds like the perfect way to launch spyware with everyone saying "thank you, may I have another."

Re:wtf?

[Proaxiom]

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

Is there a difference here?

Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

Re:wtf?

[ceejayoz]

That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.

Re:wtf?

[clarkcox3]

Likewise, if these guys installed a hard-disk erasing program, KNOWING that infected computers would download and run it without the user even being aware of it, it would be a crime

They didn't install anything on anyone's machine. They put something on a website. End of story.

Good intention does not turn an illegal act into something legal.

Yes it does, if I kill someone because I dislike them, that's murder. If I kill them because they were trying to kill me, that's self-defence. The only difference here is my intent.

Re:wtf?

[enjo13]

More interesting, that guy is simply wrong. He lists the page as being:

http://www.geocities.com/spkyupdate/upd1.jpg

when in FACT the page is:

http://www.geocities.com/updatesparky/sp1.7ls

Of course, the detective work I had to do to locate this information consisted of READING THE COMMENTS from the actual page you linked to.

Re:wtf?

[Mondoz]

What do we actually know about this 'Fizzer Task Force' anyway?

Whose authority are they acting on? As this virus can affect computers across the globe, is an international team working on this?

Did GeoCities work with the international community before handing the account over to this task force?

Re:wtf?

[Doug+Neal]

In the words of genius cartoonist Gary Larson,

"Yes, yes, I know that, Sydney ... Everybody knows that! ... But look: Four wrongs squared, minus two wrongs to the fourth power, divided by this formula, do make a right."

Re:wtf?

[flappinbooger]

The virus would have updated to the site anyway. Which would you rather have? A patched virus that does more harm or a patched virus that removes itself? I fail to see the problem here.

Re:wtf?

Your intention was the same. The circumstances were different.

Re:wtf?

[PhxBlue]

Actually, I did make the mistake of leaving my back door unlocked once. And yes, my house was robbed. It was a very expensive lesson, but one that I learned well.

Am I saying the people who actually commit the act are not responsible? No--I'm saying that gross negligence does make you partly responsible if something like that happens. This even has a legal precedent: look at the number of lawsuits that companies either settle or lose because they know they were grossly negligent.

Re:wtf?

format c: /s ...it boots faster now ;)

Re:wtf?

[ukyoCE]

As far as I learned in my practical law class, *all* criminal prosecutions involve both motive and action. You can't try them without proving that they both did the action, AND that they meant to do it. This is why drunk drivers aren't typically tried with murder when they run someone over.

However, IANAL, and don't know how negligence fits in all this, as I believe negligence can be tried in criminal court. Regardless, negligence CAN be tried in civil court.

Re:wtf?

[cyb97]

it sure speeds the time that pesky booting win2000 thing uses to boot ;-)

Re:wtf?

Yes, there is a white woman, a black man, two asians, and a hispanic, on the fizzer task force. We also broke one of the asian's legs so there is also a handicap on the team.

And I am very sorry you don't have the time to read the article before trolling.

Re:wtf?

[wheany]

No, wait! Analogies are fun, and I can make this one even sillier:

It's like a burglar that is hiding in a closet and mooning people through a window. Every now and then he goes out and gets a mail package that contains equipment and futher instuctions.

The new "patch" is like a booby-trapped pistol that is rigged to blow on the wielder's face, and that hopefully only has one bullet in it.

Re:wtf?

[BuckaBooBob]

Well.. There is only 1 wrong being done here.... Thats the worms unauthorized infection. the infected machine is now cleaning itself.. While I do like to see this paticular Solution... I would fear this becoming a common practice in killing worms.. It would be too easy to spread harmful programs to your on-line privacy while doing so... I would rather see this type of activity done by a centrealized body that has to answer for thir actions... But who can you really trust to run code on your computer... the phrase "Trust No-one" comes to mind :)

Re:wtf?

[cjsnell]

Actually, as of now, neither of those URLs work. The "task force" removed the de-installer pending further testing.

Chris

Re:wtf?

[martyros]

Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

Think of it this way:

1. The remote computer goes: "What do I do?" 2. The server goes: "Well, since you're asking, I think you should do this."

OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense?

Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

This is a clever technical solution to the problem; however, it's very dangerous -- they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

A legal solution would be to look what IP is connecting to this URL, put it on a temporary blackout list, and contact the ISP or company responsible for that IP and advise them to take action.

Re:wtf?

Just shut the fuck up, you whiner. If some stupid fucking Korean's registry becomes corrupt due to this fix, it's his problem. If the dumb bastard had even a shred of knowledge about security in the first place it wouldn't have happened. Better he loses his recipe for dogmeat pie than our IRC networks and prominent websites get DDoSed into oblivion.

Re:wtf?

[Mondoz]

I'm very sorry you don't have the time to log in before flaming people.

The 'article' you mention says nothing about what the Task Force is, nor its composition. The links above are to a mailing list signup page, and this:
---
Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity) now control the update page, and have posted a mirror of the http://www.debugoutput.com/fizzer.php site on the geocities website that fizzer uses to update itself.

We have also postted a fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable. We're crossing our fingers that the bots are looking for an executable to update themselves..

We'll keep you updated..

Regards,

--
John McGarrigle
IC5 Networks
----
Not very informative, is it? Following several links, I was able to find this:
Who is the Fizzer Task Force?
The Fizzer Task Force is a large collection of individuals from over 80 IRC networks working together to try to hold back or destroy this worm.

Oh. Okay. That explains it. They're some guys on IRC. That's great. They're using IRC to kill the worm. Does anyone know if any of them actually wrote the darn thing?

"Hi, Geocities? Yeah, we're a bunch of guys using IRC, and we'd like to have access to one of your accounts, because we think it's got something to do with a worm. Can we just access it for a minute to try out a patch we think might work? Great. Thanks."

Re:wtf?

[2short]

Your computer requested it. Any more questions?

Re:wtf?

[theLOUDroom]

OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense? Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.

In the situation at hand neither of these things is happening. The worm is looking for an .exe at foo.com, and it's getting an .exe at foo.com. The people aren't tricking the computers into coming there or executing anything. These computers we already scheduled to visit the site and execute whatever's there before they ever got involved.

they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.

If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?

I wouldn't be suprised if this method was totally legal.

1. If they were SSHing into the infected machines, you could consider that unauthorized access, but that's not happening. All they're doing is placing a file on a geocities page. The HTTP client/server thing is pretty clear, besides they don't even control the server. Even if you try and argue that the geocities server is accessing the client, the task force isn't in control of it.
2. If they were IP spoofing or redirecting traffic, that would probably be illegal, but that's not happening.
3. If they were taking advantage of a buffer overflow, or some other exploit to accomplish this, that would be illegal. Not so.
4. If there was an intent to do harm, then knowingly putting the program there to do so would probably be illegal. Not happening either.

How about this: Why don't you try and tell me what law you think they're actually breaking?

Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.

Re:wtf?

[gurumeditationerror]

Further more what if the repair/remove update leaves its own backdoor?

Re:wtf?

Erm, the Geocities site wasn't ever registered by the author of fizzer. Someone just registered that site a few days ago.

Re:wtf?

Yep, they killed my 7.1 gametheater the other day, I normally like to keep drivers up to date, in this case I went backward with no sound at all.

Re:wtf?

[Moonshadow]

The worm has an uninstall mechanism built in. When it sees a certain file, it uninstalls itself. All the updater did was drop that uninstall-trigger file into the proper directory. It's not an AV tool that is being downloaded and then run AGAINST Fizzer.

Re:wtf?

[dnoyeb]

I don't have the TOS but I doubt that it says geocities can *use* the page. It probably stipulates that Geocities can shut it down at their discresion.

Re:wtf?

[Wolfrider]

--I agree, this is one of the coolest hacks I have ever seen. They "root"ed the virus! :) BFG - talk about being hoist on your own petard!

Re:wtf?

You are confusing legality with morality.

Re:wtf?

[budgenator]

how about a program on the site that executed an IE browser pointed to the McAfee or norton which are trusted third parties, have removal tools available and have authorative descriptions on what the virus does and instructions for its manual removal.

Re:wtf?

[budgenator]

that's not what the real experts are saying,
If a file called UNINSTALL.PKY exists in %WINDIR%, the worm does not infected the machine. The content of this file does not matter.

Re:wtf?

[budgenator]

if the file wasn't linked to on a web page (I'm not sure if it was or was, this is rhetorical) they could claim that the repair file was hidden do to the nature of the http server not listing the directory, and therefore the file was stolen.
Claiming that the file was meerly stored there pend public release after additional testing, they would mitigate a lot of potential liability, but IANAL

Re:wtf?

You are confusing legality with morality.

You are confusing your sense of morality with mine.

I believe that's it's perfectly moral to kill in self defense, or in defense of others.

Morality is subjective.
Legality is (for the most part) objective.

Re:wtf?

I wouldn't call this 'root'ing the worm....

It's more like Social Engineering.

Oh the Irony.

Re:wtf?

Someone might want to keep the worm for whatever reason (e.g. as proof of the infection in a lawsuit)

One would hope that anyone knowingly and willingly infected with a virus would keep that computer off of the internet.

Re:wtf?

Uhhh yeah.... Koreans are stupid.

That's why God gave them SARS.

Troll.

Re:wtf?

[clarkcox3]

No, if I kill someone because I dislike them, my intention is to kill them, plain and simple. If I kill them in defence, I don't intend to kill them, I only intend to make them stop threatening whatever it is I'm defending.

In the former, the intent is to kill, in the latter, the intent is to preserve my life; the killing is only a means to that end.

Re:wtf?

[KewlPC]

Because the user doesn't go to the site, the virus does. The virus downloads updates to itself from a set of specific URLs.

Some smart people figured out at least one of these URLs, and asked GeoCities to give them control of the account for it.

GeoCities complied, and the people put an uninstaller in place of the update that the virus would have downloaded on its own.

The user of the infected system has nothing to do with it.

Re:wtf?

[KewlPC]

Actually, that IS what that quote is saying.

If the virus sees the file "uninstall.pky" in whatever your Windows directory is, it removes itself.

The update simply puts a file called "uninstall.pky" in the Windows directory, causing the virus to uninstall itself.

In other News...

[lukew]

The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.

Re:In other News...

Not funny.

Re:In other News...

Okay, I've just got one thing to say:

THIS IS GETTING VERY STALE. It's not funny any more. Quit it.

Re:In other News...

hmmm... The US were really hurt by this dude.

Funny, as reported, the site did never exist. At least there were never EVIDENT that the site existed. But they took it over anyway.

Re:In other News...

The Fizzer information minister announced that the Task Force infedels has not taken over the website, and that all your soviet base are belong to us, and nathalie portmans are petrifying themselves in beowulf clusters as commander tacos pour hot grits down their pants. For Profit, take off all zigs!

Full Text of Article

[insomnike]

Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.

We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..

We'll keep you updated..

Regards,

--
John McGarrigle
IC5 Networks

Re:Full Text of Article

[Realistic_Dragon]

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

I applaud the sentiment, but do the ends justify the means? I don't think Joe Slashdotter would be too happy with the idea of enforced antivirus affecting _his_ PC, for example if the government mandated it, because you can be sure that that precident would soon be followed by anti-piracy, anti-crypto, anti-free-speech, anti-everything-else in short order.

I suppose you could argue that 'we aren't inserting the data ourselves, we just made it available' - but that's little more than sophistry.

Re:Full Text of Article

[Malfourmed]

we now control the update page, and have posted a mirror on the geocities website that fizzer uses to update itself.

All your pages are belong to us.

Re:Full Text of Article

[Urkki]

But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

Re:Full Text of Article

[Realistic_Dragon]

But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it?

Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

Indeed, I have little pitty for anyone who chooses to use IE.

Re:Full Text of Article

[AndroidCat]

We're crossing our fingers that the bots are looking for an executable to update themselves..

Ummm, that doesn't exactly fill me with confidence. If they don't know enough about it to say if it will or not, should they be monkeying with it? They might have the best intentions, but one little slip-up...

Re:Full Text of Article

[Urkki]

Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

I guess that would make them liable to pay damages if their removal code did some damage, and doing something like that is sticking their necks out to be chopped off. Which makes them either unselfish and brave, or stupid.

Too bad there really isn't any "real-world" analogy for this case... I'm having hard time deciding if they did wrong or right. I guess I consider myself to be enough of an anarchist that I must support this kind of positive activism ;)

Re:Full Text of Article

[sjames]

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

That is, the worm presents a danger to other people's property (servers) and it's a good bet that anyone having it would sincerely like it to be gone. Anyone who WANTS the worm to remain, AND hasn't isolated it from the rest of the net is necessarily deliberatly spreading it, and so is guilty of a felony.

Re:Full Text of Article

[Realistic_Dragon]

Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

But they don't have implied permission, they have explicit permission from an elected government (at least here). In this case the people doing this are akin to a band of vigilantes, something that civilised socienties all over the world have rejected in the real world.

Re:Full Text of Article

[sjames]

But they don't have implied permission, they have explicit permission from an elected government (at least here). In this case the people doing this are akin to a band of vigilantes, something that civilised socienties all over the world have rejected in the real world.

They are more like a volunteer fire department. In the absense of an appropriate civil authority, sometimes, citizens must get together to do the appropriate thing.

Vigilanteism is an act of ignoring an existant and appropriate civil authority in order to take independant action.

Re:Full Text of Article

[zogger]

No "vigilantes" have not been rejected, not even close. I can hire a private security guard, and I can also band together with my neighbors for mutual self defense. If I see an obvious stranger breaking into my neighbors house, I can go over and stop him, OR call the cops, OR both. and ESPECIALLY if 'government" has proven itself over and over again to be ineffectual, like they once again have shown here. and what's the alternative, do you REALLY want a huge new bureaucracy of government cyber cops, beyond what we have now? I sure don't, I'd rather leave the net alone, let the victims be able to FIGHT BACK.

It's just the word got hijacked by the pansy PC police. People are too scared for self defense any more, a lot of them anyway, they want nanny government to always be there for them. Government has it's place, but it's not the entire total solution to crime.

In this instance and other instances, government is 20 years behind when it comes to dealing with spam, viruses, etc. Ya, they passed a few laws, whoopedy zing, they haven't stopped any crime,they haven't stopped or even cleaned up one virus or worm that I am aware of, except off their own computers, at best, government usually just reacts to crime after the fact, and most of the time they don't even get that right.

Frankly, I'd like to see open relays that are hijacked treated this way, maybe a screen pops up HEY, QUIT SENDING ME SPAM, MORON!

then maybe people would start to take more proactive measures with their computers, or demand the OS and app vendors to do a better job.

Maybe, don't know, but if someone hacks me,or infects my box, I claim the right to fight back, to use whatever self defense is at my disposal, same as when I am out and about on the street. these poor IRC people are doing all they can do, or should a worm writer have the right to just destroy their networks?

I don't see any problem with this thing, none, good for them to do something actually effective. Same as spamming spammers, tough luck for those nimrods.

I LIKE good old fashioned in your face instant karma justice, I LIKE to be "vigilant". If we had more of it, there would be less crime. People talk about the old "wild wild west", but if you research it, with only a few exceptions it had much less crime than what we have now, the only difference is, the crime fighting was mostly done by the victims. It's not perfect, but nothing else is either, is it?

Re:Full Text of Article

[skt]

This is a good ethical question, I'm not sure whether or not it is right or wrong either. My personal opinion is that it is wrong because the party responsible for altering the webpage knows that the contents of that webpage will be read and executed by computers that do not belong to them. The owners of the infected machines are responsible for securing their machines, but their inability to do so does not give the average user the right to do anything about it. The problem could instead be reported to the user's ISP, who can take appropriate actions based on their TOS agreement with the individual who's computer is infected.

However if I remember my ethics class correctly, their is also the argument that greatest good for the population is the best thing to do. In this case, shutting down these machines is the greater good vs. leaving them running, wasting bandwidth, sending email, or whatever this thing does. Having said that, I still can't get over the first point.. IMHO the problem is best handled by the individual's ISP, and everybody else should only report the problem instead of running arbitrary code on other people's machines (and yes, technically they are not actually running the code as others have pointed out.. but you know what I mean).

Re:Full Text of Article

[tgibbs]

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

In the former case, a vandal has broken into a computer using a virus and instructed it to download damaging code from a location on the web. In the latter case, a public-spirited person has not broken into any computers, but legally removed damaging code from that location on the net, and replaced it with code to disable the virus, should some person's virus-infected computer attempt to disable it. The first person is like a car thief. The second person is like the guy who passes by, notices that the thief abandoned your car with the lights on, and shuts them off. And you are like the guy who insists that the second guy should be prosecuted for trespassing.

Re:Full Text of Article

[Ryan+Amos]

This isn't "enforced antivirus," the Fizzer Task Force is run by a bunch of IRC operators from many different networks. IRC operators just so happen to overall be a very clever bunch, and what with this virus wreaking havoc on a lot of the smaller networks, something had to be done. Plus, the virus already has the capability to update itself. All the antivirus does is exploit a weakness in the virus that can be used to castrate it. And the difference here between anti-virus and anti-everything else is that viruses are not good. Never. And in this case, the virus was extensively analyzed before any action was taken against it. This isn't the antivirus eqivalent of the RIAA's "research," rather the virus was disassembled and and researched to make sure that this worked. I personally think it's an elegant solution to a nasty problem.

Re:Full Text of Article

[budgenator]

In this case, shutting down these machines is the greater good vs. leaving them running, wasting bandwidth, sending email, or whatever this thing does. the worm reportedly has a bug alowing irc operators to crash the infected machines by

NEW - We discovered you can make them crash! Go in to a channel they are in, and type "001PING blahblah", where blahblah is any long string, and almost all of them will crash (a couple might send PING replies, oddly). This is some sort of bug in the program, which ultimately is a result of the programmer forgetting a backslash. You can also put the string in the topic of the channels the worm bots join, and they will crash.

now as this is a line that would be harmless to uninfected computers, it solves some of the ethical problems. Unfortunately the most people with infected computers wouldn't be able to figure out why their 'puter pukes every time they connect to the internet.

Re:Full Text of Article

[prnd_ndrd]

Indeed, I have little pitty for anyone who chooses to use IE.

In a sense, that's the problem. People *don't* choose to use IE. Not really, anyway, when it's preinstalled on Gateway's, Dell's, and so forth. Microsoft has had a stranglehold on the market, and, instead of being benevolent rulers, they've allowed their software to become unsecure and bug-ridden. Think about it: their software actually *works together* to make an unsecure system. Windows makes it too easy for someone to click "Yes" to install a worm, and Outlook makes it easy to receive the chance to install that worm.

wow

[j0nb0y]

nice hack.

Now the computer security community gets to have a big debate over whether this was ethical or not...

Re:wow

[ch-chuck]

If it's done by an 'official' security agency with govt. approval then it's ethical, if it's done by a netizen vigilante group then it's not ethical - just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

Re:wow

just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

If you pull someone from a burning building you won't be arrested for trespassing. Jesus stupid fucking christ. Idiots these days.. they don't just die off like they used to.

Re:wow

[Zathrus]

just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

Want to show a case proving this? Even vaguely?

In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

Re:wow

[BigMe]

Not a man but an odd situation just the same.

Re:wow

[Zak3056]

Want to show a case proving this? Even vaguely?


There was an instance about two months ago of a man whose apartment was on fire running into the burning building to save his dog. The fire department had the police arrest him.

The FD did not want to enter the building because it was too hot/dangerous, and wanted to let the hoses cool things down a bit at first (a perfectly sane decision, IMHO, since there was no human life at stake.) The pet owner didn't like that idea, so took matters into his own hands.

The reason for his arrest is he "put the lives of firefighters and others at risk" by his "reckless" actions.

Not EXACTLY what the original poster was talking about, but fairly close.

Re:wow

[241comp]

I'm not sure if you heard the entire story. The reason he was arrested was because there were firefighters in the entrance to the house and he broke a window (I believe - or opened one) to get in. This sudden additional inlet of air could have caused a backdraft-type situation (think about the movie). He endangered the firefighters lives by doing that - all for a dog which the firefighters themselves probably could have saved. It was reckless disregard for the safety of the firefighters. Heck, if someone put your life in serious danger at work while you were saving their personal property wouldn't you want them to be arrested?

Re:wow

[jo_ham]

A security guard lost his job in the UK a couple of days ago because he went to help a patient in the hospital he worked at.

The patient was trying to kill himself by jumping of some scaffold, and the guard helped to keep him (relatively) safe with a paramedic also there. They eventually persuaded him to come down, or he was removed by medical staff, I forget which.

The hospital praised the guard for helping out and saving the patient's life. The company he worked for (security was contracted out to a private firm) fired him for "endangering himself and the patient".

Re:wow

[Maserati]

No let's NOT think about the movie "Backdraft". Please ?

Re:wow

[Suidae]

In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution

Even more fun, in many places, failure to render aid is illegal. IANAL, but I'm sure those laws include some kind of provision for reasonable risk. Of course with HIV and whatnot running around, I wonder if one could make a case for not performing CPR because one did not have protective equipment?

Re:wow

[printman]

There was some coverage of a man who was arrested in Tennessee (I think?) for going into his burning apartment building to free his trapped dog (actually, I think he just jumped up onto his apartment's balcony and broke the sliding glass door so that the dog could escape)

He was arrested on the spot for interfering with and endangering the police/firefighters on the scene, who were apparently unwilling to break the glass door on the first floor to free the dog... The owner didn't want his dog to die and took matters in his own hands...

Re:wow

[ReconRich]

The fire department had the police arrest him

In most states, Good Samaritan laws do *not* apply to pets. And this guy could not have been arrested for tresspassing assuming it was his apartment that his dog was in. Furthermore, "official" agents (the fire department) were on the scene. If no agents of the government had been on the scene, he almost certainly would not have been arrested.

-- Rich

Re:wow

[vDave420]

just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing. Want to show a case proving this? Even vaguely?

Withint the last two weeks here in Miami Florida, there were two seperate instances of this on the news.

In one, a man jumped up(!) to a burning second story building to rescue a trapped dog that was barking for help.

In the second, a man rescued a person.

In both cases, they were arrested, and it made the local news. Now admittedly, they may (and probably will) be aquitted, but this is not the point.

-dave-

Use BearShare for all your p2p needs!

Re:wow

[Oopsz]

HIV can't be transmitted through mouth to mouth contact, especially not during CPR where you're *blowing* into the other person's lungs. (Shoving your tongue down someone's throat may be slightly riskier, but how often do you ask the girl at the bar if she's been tested?)

linkage

Re:wow

On Hannity and Colmes a few weeks ago, something similar happened.

A man's dog was trapped inside of his burning house, he asked the firemen to rescue the dog. Apparently the firemen said they were low on water, but would try anyway.

The dog's owner waited for over a half an hour and the firemen did nothing. The man then made a sprint for the house (the cops tried to stop him), climbed up to the second floor, broke open a glass door, and rescued his dog.

He was then promptly arrested.

Go figure.

http://www.google.com/search?hl=en&ie=UTF-8&oe=U TF -8&q=man+arrested+for+saving+dog

Re:wow

New scientific evidence (when this man opened the window, no firefighters died) has proven that the movie backdraft is stupid and wrong. A source with collagen lips and peroxide hair went on record claiming that "this doesn't prove Kurt Russell is a bad actor."

Re:wow

Unless you have a cold soar and perhaps one of the victims lips have been burned slightly and is bleeding. Yes, you can very well get HIV from CPR or any other kind of contact if you both parties are careless.

Re:wow

[Suidae]

There are plenty of other nasty things that can also be transmitted via such contact.

Also, its not uncommon for people to vomit during cpr, and they generally don't make a point of waiting until you are clear.

Re:wow

[Chump1422]

Not the same thing. The fire department was already there, when the man saved the dog. So it wasn't that he entered the building, it was that he interfered with them and endangered everyone. Had he been the only one on the scene, I believe he would have been fine (although the law wouldn't really want to encourage people to enter burning buildings, because then they'll go in and firefighters will have to come in and pull them ouit when they get trapped).

I don't know the facts of the second case, but if the fire department is already there, "heros" just make it mmore dangerous for everyone.

Re:wow

Even more fun, in many places, failure to render aid is illegal.

References, please. And the voice emanating from your ass doesn't count.

Re:wow

[cyphergirl]

And rightfully so. (arrested) Breaking the door would have fed the fire, or could have created a backdraft situation. (Fire "eats up" all of the oxygen in the structure, and is starving. Some dumb@ss opens a door or window, fire gets sudden infusion of oxygen == BOOM!) We had a backdraft in an apartment building about two months ago -- sent four of our guys to the hospital w/ burns.

Re:wow

[Xerithane]

In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

Good Samaratain laws apply to civil lawsuits only. It reads that if I am doing something that I am qualified and trained (officially) to do, to save someones life, I am immune to any civil lawsuits against me. It is not the same as persecution, and if there is someone with higher qualification and training, your immunity disappears.

As for persecution, if there is fire department or police department presence, you will get charged for trespassing. People aren't trained to rescue people, and it creates more of a problem for the police and fire department because they have to worry about idiots hurting themselves trying to do a good deed.

Yeah, a guy may succeed and be a hero. But for that guy, there are 9 other darwin award winners.

Re:wow

its not uncommon for people to vomit during cpr, and they generally don't make a point of waiting until you are clear.

+1, Disgusting

Re:wow

[Oopsz]

Well now, it's your right to sit aside and watch someone breathe their last, rationalizing all the while. What's saving a life compared to nasty things?

Re:wow

[budgenator]

I know a guy who broke down a tenants door and pulled her naked out of the bathtub. After she regained consciousness she kissed him. He smelled the bad gas leak, got no response from pounding on the door before he broke it down.

Re:wow

[budgenator]

There is one documented case of HIV transmition through mouth to mouth. the carrier had severe periodontal disease,(bleading gums)

Gateway to Thousands of Machines

[bjb]

Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

Re:Gateway to Thousands of Machines

It's 31337.

Re:Gateway to Thousands of Machines

[darien]

Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL!

Or distribute your own worm that adds an entry to the user's 'hosts' file, redirecting this address to your own site.

Re:Gateway to Thousands of Machines

[Angry+White+Guy]

If you're going to muck around with the host file, then you'll get more bang for your buck masquerading google, msn, yahoo etc. to 64.159.93.205 or something along those lines. That'll make'm sit up and take notice!

BTW, it's BangBus.com, not very safe for the office.

Re:Gateway to Thousands of Machines

[Ryan+Amos]

My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.

Re:Gateway to Thousands of Machines

[rwiedower]

Whose website was it, anyway? That's the info I want to know...because the idiot who signed up for it is going to be seriously unhappy when the feds come a knocking.

Re:Gateway to Thousands of Machines

[Branc0]

I love that stats... they never count with human error and worst... human stupidity.

I don't have hard numbers, neither do you or you wouldn't say what you said... but probably more than 50% of break-ins have at least in some point been caused by human error.

Re:Gateway to Thousands of Machines

[Tarpan]

haha, yeah... everyone uses their real name and address when applying for a place to spread a worm from.

Re:Gateway to Thousands of Machines

[AndroidCat]

I'd imagine geocities' security is pretty solid

Maybe. Their abuse department is frequently reported to be non-existant. Abuse and security don't generate any profits, so the suits frequently start cutting there first.

Re:Gateway to Thousands of Machines

[ipjohnson]

thank god you put the "BTW, it's BangBus.com, not very safe for the office." because I was just about to click on it.

I guess I should remember never click a slashdot link when you don't know where its going.

Re:Gateway to Thousands of Machines

[Angry+White+Guy]

I was going for 'myfirstbigcock.com' but it's a vhost and doesn't resolve nicely. But the pictures are hillarious. Definitely would have the guys at Symantec and Trent Micro laffing their ass off.

Re:Gateway to Thousands of Machines

Dear:

[x] Clueless n00b
[ ] Lamer
[ ] Ricer
[x] Kid with no clue
[ ] Flamebait
[ ] Jackass
[ ] Lazy person
[ ] Me too'er
[ ] Spammer
[ ] Idiot
[ ] Asterik-laden adjective
[ ] Pointless Thread Starter

You Are Being Flamed Because:

[x] You continued a long, stupid thread
[ ] You said "me too" to something or "Send ______"
[ ] You asked for w@rez
[x] You don't know what you're talking about
[ ] You suck
[ ] You posted one of the reposts from hell.
[ ] Your post title has nothing to do with the content
[ ] You complained about something you got for free/low cost
[ ] You are not the grammer police
[ ] You hate the U.S. or its policies yet will not leave
[ ] You started a flamewar thread
[ ] You are b!tching about something you have no right to b!tch about
[ ] You asked for medical help on a computer forum
[ ] You asked an incredibly stupid question
[ ] You like ricers
[ ] You are a ricer
[ ] You asked how to mod a honda
[ ] Your sig/alias sucks
[ ] You did not listen to a smarter member or ignored advice
[ ] You need use the damn search button
[ ] You said any version of "repost" This is allowed sometimes but not this time
[ ] You posted something totally uninteresting
[ ] You posted a topic/message all written in CAPS
[ ] You posted spam
[x] Your stupidity is astounding
[ ] You used the words 'suxors' and/or 'roxors'
[ ] You posted "FIRST POST!"
[ ] You are quitting the website for good...again
[ ] You complained about the Mods

To Repent, You Must:
[x] Give up your AOL/Euronet/MSN/Planet Internet account
[ ] Bust up your modem with a hammer and eat it
[x] Jump into a bathtub while holding your monitor
[ ] Actually post something relevant
[ ] Listen to Moonbeam for 3 hours
[ ] Become friends with Red Dawn
[ ] Pry the Caps Lock and Shift keys from your keyboard
[ ] Read the damned FAQ
[ ] Cut off both your hands with your own hands
[ ] Post some damn pics
[ ] Go hug your parents right now
[x] Remove the Slashdot forum from your list
[ ] Read the manual / instructions
[x] Remove your genitalia so you do not breed
[ ] Repenting is not possible, you are banned.
[ ] Use the damned search function
[ ] Post in the right damned forum
[ ] Put your car into a crusher
[x] Apologize to everybody on this website
[ ] Actually leave the website for good

Re:Gateway to Thousands of Machines

[budgenator]

it was my understanding that the virus writer simply forgot to register the site, the geocities site was one of many.

Re:Gateway to Thousands of Machines

[Evadman]

Hey, cool! My Checkbox flame made it to /. I Am so happy! Thanks ctho :)

Re:Gateway to Thousands of Machines

Yeah, but security protects what profits they do have.

Interesting

[eumenides]

It looks like the fizzer worm
just fizzled out
ha ha ha ha
(i'm so lame)

Re:Interesting

[grolschie]

yup, it was a real fizzer, aye?

Re:Well..

[Spad]

Experienced people shouldn't be contracting the worm in the first place.

Thanks, original poster!

[thdexter]

Looks like the Fizzer worm will soon come to an end.

It's good that he didn't say something like "I guess one could say the Fizzer worm has fizzed out!"

Hacked into Geocities?

[Salamanders]

...now control the update page...

At what point does the vigalante hacking become acceptable when fighting against Something Bad?

If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

Re:Hacked into Geocities?

We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.

Next time try doing a little research (like asking in the IRC channel) before posting.

Re:Hacked into Geocities?

[42forty-two42]

Next time try doing a little research (like asking in the IRC channel) before posting.

You're new here, aren't you?

Re:Hacked into Geocities?

Nope, just eternally optimistic.

Re:Hacked into Geocities?

[Salamanders]

Doesn't matter to me if they hacked into it or took control using perfectly legit means. My question to the forum still stands.

And I don't use IRC.

Re:Hacked into Geocities?

what's your question? You were asking about vigilante hacking. This isn't vigilante hacking.

Re:Hacked into Geocities?

[rillian]

If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

Re:Hacked into Geocities?

[Salamanders]

How about the case where they cause you inconvenience, but you were causing them (or others) much more inconvenience by hosting a DOS worm or something similar?

Re:Hacked into Geocities?

[aonaran]

Would you mind if some stranger came along and pulled the weeds out of your garden?

I would. I wanted those weeds there, dandelion makes a good salad.

Re:Hacked into Geocities?

[MrScience]

There are many stories where stranger mistook a $20,000 tulip bulb for an onion.

Re:Hacked into Geocities?

[plugger]

If the definition of a weed is "a plant growing where it's not wanted", then one man's weed is another man's salad (no dope jokes please).

Feel free to draw an analogy between that and the Fizzer worm story.

Re:Hacked into Geocities?

[Fizzl]

I might be trolling here but what the hell...

like asking in the IRC channel

Makes me chuckle. I used to be a regular in IRCNet, but nowadays I feel that it is just a breeding ground of script kiddies, egoistic assholes, social rejects and clueless friends of beforementioned social rejects who are about to be assimilated.
I just google. There I can usually find a sensible answer to any question without the mental abuse.

Oops. This is off-topic too. Just when I thought I might get slightly positive Karma ;)

Re:Hacked into Geocities?

[Reddog0176]

No one said the page was hacked, it was just stated that Fizzer Task Foce now has control of it. I know it wasn't hacked, because I am the one that gained access to it. The fact of the matter is, whoever created fizzer NEVER registered the page.. so I took the liberty in registereing it.
--
Chris
Reddog[Magicstar] on the irc channel.

Re:Hacked into Geocities?

too funny, just peed my pants

*Sigh*

[cperciva]

When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

If you're going to write a worm, do it right.

Re:*Sigh*

[will_die]

You just go the simple route, include an EULA saying that doing this is against the DCMA.
Then sue.

Re:*Sigh*

What the hell is the DCMA? The Dyslexic Computerusers Misspelled Acronym?

Digital
Millenium
Copyright
Act

Easy enough to remember. You can even set the letters to a Village People song, which is incredibly appropriate.

Re:*Sigh*

[Des+Herriott]

What the hell is the DCMA? The Dyslexic Computerusers Misspelled Acronym?

Didn't
Check
My
Acronym.

Re:*Sigh*

[connorbd]

Though admittedly "Digital Copyright Millennium Act" is perfectly accurate...

(mod self -1, Silly) /Brian

Quota?

[42forty-two42]

Why isn't the geocities site saying it's 'bandwith exceeded' or something?

Re:Quota?

[SEWilco]

Oh. You mean we haven't slashdotted the site and interfered with its legitimate use by Fizzer?

Re:Quota?

[interiot]

It only takes a few bucks, something the charitable soul probably wouldn't mind at all. As long as consumption doesn't go over 35gb/month, they're fine.

Re:Quota?

[Psychic+Burrito]

Well if the creator of Fizzer would have spent money with a credit card (and as far as I know, this is the only way to buy webspace at geocities), he would be easy to track down.

So I think that he either managed to circumvent the geocities quota system without paying, or he used a stolen credit card...

Any educated guesses?

Re:Quota?

[Reziac]

How big is this thing? maybe it's just not enough to hit the Geocities limit.

Which I don't know what is officially, but last time I hit some idiotic 750k graphic on a GC site, that was enough for their system to automatically lock that account for an hour.

Re:Quota?

[interiot]

The geocities account is no longer owned by the Fizzer creator, it's now legitimately owned by the anti-fizzer group. I was suggesting that since they've put so much personal time into fighting the worm, that they probably wouldn't mind fronting the $10-40 to help out the internet community even more.

Re:Quota?

[ceejayoz]

It's possible that Geocities is working with the Fizzer team on this - they could have disabled the quota.

Re:Quota?

[ancyent_marinere]

Easy, the worm writer could have just bought a prepaid credit card from a convenient store somewhere. No registration, no paper-work, no incriminating trace of any sort.

Re:Quota?

[bheerssen]

I would guess that Geocities is able to control bandwidth on a per-url basis. Hell, they could even dedicate and entire server with a fat pipe to that one url. Not that hard really, just a rule in their load balancers.

Re:Quota?

[budgenator]

The fact of the matter is, whoever created fizzer NEVER registered the page.. so I took the liberty in registereing it. sayeth Chris Reddog[Magicstar] on the irc channel.

probably why they didn't register it is how easy it would have been to track the cc.

Geocities is free, but add sponsored, they'll insert a piece of javascript to show an ad banner on every file in the directory, this would have destroyed the virus, javascript inserted into a binary executeable file don't work. To get the ad-free geocities you have to pay $4.95/month and that means a credit card. Appearently the virus writer knew that geocities was free, but didn't realise that he'd have to use a cc to get the ad free version, until after the virus was released, or perhaps escaped.

Re:Quota?

[Reziac]

Could be.. all I know is that it sure is easy to shut down a GC site that's overloaded with bloated graphics!!

Re:Quota?

[Grendel+Drago]

Where can you get these prepaid credit cards? I've never seen them; how do they work? Can they be purchased online?

If I want to buy internet porn and not have it show up on my bill (yes, even as "CCBill, Inc" or whatever) this'd be ideal. Or for buying programs from a certain kind of store before they get busted by the feds. Or a zillion other things, I'm sure.

--grendel drago

Re:Quota?

[ancyent_marinere]

do a google search for "prepaid credit card". Your quest shall prove to be fruitful.

outrageous

[circletimessquare]

as a compassionate human being i find this outrageous

to use the innate homing behavior of a wild natural creature like this virus against it...

to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

is there no compassion on the internet?

outrageous

Re:outrageous

[leviramsey]

Plz rate (5, Insightful). K thx.

Re:outrageous

[circletimessquare]

are you the same guy on kuro5hin? ;-P

Re:outrageous

Yeah. Don't kill viruses. Kill the writers.

Re:outrageous

[The+Cydonian]

Just wait for the K5 Reenact dude to come over to /. :-D

Re:outrageous

[circletimessquare]

HAHAHAHA

his ascii art rulez

he's our equivalent of photoshoppers on fark ;-)

Re:outrageous

[leviramsey]

But of course...

Re:outrageous

[circletimessquare]

kewl ;-)

Re:outrageous

[Theaetetus]

Won't somebody please think of the children?!?!

[snicker]

-T

Re:outrageous

indeed -- they might start resenting us ugly bags of mostly water

Re:outrageous

[cavemanf16]

"do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?"

You're from PETA, aren't you?

Re:outrageous

shut the hell up

Possible application of strategy

[trikberg]

This could be applied to another virus: Windows.
1. Hack the "secure" automatic update system.
2. Add/modify critical update.
3. Have said update uninstall Windows when executed.
3. Wait for machines to update themselves and auto-destruct.
4. ???
5. Profit.

Re:Possible application of strategy

where ??? is sell virus free linux distro

Re:Possible application of strategy

Why would anyone write viruses for a platform that runs on less than 1% of desktops? Mac and Linux "immunity" from viruses is a classic example of security through obscurity. Deny it if you want, but it won't make it less true. *fart*

Re:Possible application of strategy

[Oopsz]

One word: Tuxissa.

GLG 20

Fitz-Hume!
Fitz-Hume!
Source programable guidance!

Nice..

[Komarosu]

Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

Re:Nice..

[Loosewire]

i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.

Re:Nice..

[Komarosu]

mmm never thought of it that way :)

Re:Nice..

[AnotherBlackHat]

Just sign updates with the public key you include in the software.
Good practice for any auto-update, not just viruses.

-- this is not a .sig

Re:Nice..

[AngryPuppy]

Actually, from seeing discussions with actual virus writers, it is a more impressive act to write a slower-spreading worm. If it spreads too fast and does a lot of damage, you are on the law's radar screens and could get picked up and incarcerated. Better to write something slow-spreading. Also, the people writing them and the people releasing them into the wild are not the same. Virus writers often display source code, but then someone comes along with an agenda and compiles and releases the malware. Also, the virus updating itself is not a new concept. Hybris (written by Vecna) did that already via Usenet.

Re:Nice..

[AngryPuppy]

I meant to say that the authors and spreaders are not ALWAYS the same person. There are probably exceptions.

No, this is different

[Sycraft-fu]

The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.

Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.

Re:No, this is different

So, fi you choose to run the worm, conciously or not,

Is it possible to make an unconscious choice?

Doesn't the act of choosing imply a consciousness?

Not true

[TizeMan]

IT was tried, but it didn't work, so the program was removed.

Fact Checking

[Brightest+Light]

Nicely done, Slashdot!

Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

Ansivirus companies' advice

[42forty-two42]

From the F-Secure page:

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
[...]

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

Re:Ansivirus companies' advice

[Fweeky]

Uhm, XP has cmd.exe, just like 2k.

Re:Ansivirus companies' advice

Ever try and create a file from Windows that has EXACTLY the file extension you want?

You sound like the "luser" to me. If you have your "hide file extensions" checked off (as any self-respecting non-luser would).. you just create a file and name it anything you'd like. Whatever you save it as is what it will be named.

And I am running XP and I have a "dos box" in the form of "command prompt". On the other hand, ask that same user to even navigate the file system in linux and create a file at all.. and see your reaction. Fucking idiot. *fart*

Re:Ansivirus companies' advice

[Zan+Zu+from+Eridu]

Because the infector would still be in the Kazaa share folders, causing other lusers to download it and infect themselves.

Re:Ansivirus companies' advice

[andkaha]

Unfortunately, this won't work on XP (which has no DOS box), so you're forced to use notepad or something which will append .txt to the end of any file, and then you have to go into explorer and rename it, hope to god that the user won't get scared by the "if you change the file extention, this file name not be usuable anymore" warning, and so on.

Just name it "Uninstall.pky" (including the double quotes) in Notepad.

I never thought that I would give a Windows tip... shudder...

Re:Ansivirus companies' advice

baka... he ment that most people have hide file extentions on

Re:Ansivirus companies' advice

Good lord are you stupid and clueless. I won't bother and mention all the things wrong with what you said. But here's a simple way to create Uninstall.pky from Explorer:

Right click -> New -> Text File
Name the file Uninstall.pky, press enter.
Click Yes if asked a question.
That's it.

Why would you want to bother with notepad or a command prompt? And yes XP has a command prompt. You're an idiot.

Re:Ansivirus companies' advice

[httptech]

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)

Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.

My submission:

2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)

Re:Ansivirus companies' advice

[silvaran]

Unfortunately, this won't work on XP (which has no DOS box)

I've been using the command prompt on XP ever since XP came out... Start->Programs->Accessories->Command Prompt, or Start->Run, "cmd", [OK].

Re:Ansivirus companies' advice

[boredMDer]

Just as a matter of clarification, httptech - 2003-05-15 14:53:43 Fizzer Worm uninstalling itself (articles,tech) (accepted) Over an hour and a half before you submitted yours.

Re:Well..

[jpsst34]

Experienced people shouldn't use the word, "n00bs!"

the worm has proved itself to be a new lifeform

[andy666]

so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?

(see star trek for more on this topic....)

Re:the worm has proved itself to be a new lifeform

(see star trek for more on this topic....)

Yeah, sure...

From my parents' home in Wyoming, I stab at thee!

http://www.penny-arcade.com/view.php3?date=2002- 07 -22

Re:the worm has proved itself to be a new lifeform

Yes, this is a good question indeed. Who are we to decide which of these e-specied should live or die ? I'll give you this answer: we're their creators.

Ja-Deluge is my very own rm -rf-veh

Somound needs to be more creative...

I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...

So to get rid of it you must let it do it's job?

[LemurShop]

I hope we can all see the irony of having to let the worm do what it was supposed to hust to get rid of it

Good thing Symantec....

[caffeinex36]

...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

-Rob

WU

[cwernli]

Well, let's hope Fizzer is more advanced than Windows-Update.

A more far fetched theory

[VTS]

The worm is of alien origin!
When it realised how primitive the machiene it was running on (%WinDir%) it decided to commit scuicide!
Oh well, we will have to wait a bit longer to get in touch with those aliens...

Nice work

[Cackmobile]

Nice work who ever came up with that fix. ITs brilliant. Fight fire with fire!!!

Great!

[varjag]

While they are at it, could they also made worm install some simple firewall and anti-viral software at user's marchines?

Do you mean?

[codepunk]

Like remove windows?

Legal issues.

[GiMP]

So, did they obtain this account via Geocities or did they crack it? If they cracked it, this would be very illegal. Why would geocities give the account to them? They have no legal right to that account.

Re:Legal issues.

>Why would geocities give the account to them?

Uh, because then geocities would be aiding the propagation of a fucking worm you retard?

Re:Legal issues.

[blennidae]

Why wouldn't Geocities be allowed to either shutdown or allow someone to provide the uninstall fix for the worm when it tries to autoupdate itself? If Geocities knows that one of their accounts is responsible for propagating this worm, then they should be legally/morally/ethically responsible for taking action to prevent the spread of this worm. Which in this case they did. The worm on the client machine actually connects to the server, downloads the updates and then uninstalls itself. What could more beautiful than that? If someone broke into my home while I wasn't there, I sure as hell hope my neighbors would call the police instead of saying "Oh, wait a minute, I don't have a legal right, I'll just let this crime continue" IMHO, you sound like one of those security freaks that can't balance the need for security with the real world.

Re:Legal issues.

[GiMP]

Geocities reserves the right to disable/remove the account and certainly reserves the right to give the account to someone else. There is just no legal reason for them to give the account to anyone who asks for it except, perhaps, the government.

I assume that Geocities terminated the account according to their TOS and allowed the 'defizzers' to re-open the account.. this would be ok; however, it would be nice if they stated how, exactly, they obtained the account.

Re:Legal issues.

[Moonshadow]

It was never registered. Reddog discovered this, registered it, and uploaded a file that the worm would have expected which caused the worm to run its own self-uninstall routines. No cracking or reverse engineering was done.

Well...

[High+Hat]

... what about doing this to Windows Update?

I guess it's time...

Now worms are going to need to verify PGP signatures of the files it downloads, just like legit software does...

Yes, I realize Windows update doesn't verify sigs.

DMCA violation?

[dcavanaugh]

Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

Just walk without a rhythm...

[sopuli]

Because, if you walk without a rhythm, you won't attract the worm.

shut UP.

Lifeform, indeed.

An eye for an eye ...

[Martijn+Ras]

Stopping the cause of an infection is good. Making a cleaner that undoes the virus is good. However, achieving this by "Gaining control" and using an "Antivirus Virus"? Who is the better of the other in this: * the cracker that had the creativeness to develop a pitfall or * the cracker that fell into that pitfall and had the creativeness to develop a crack for that pitfall to undo itself?

Re:An eye for an eye ...

You are very stupid. You didn't read the article, and you also didn't read the other myriad of comments dealing with this already. If you did, you wouldn't be asking such a stupid question.

Thats a brilliant hack!

[TerryAtWork]

Way to go!

I just Googled uninstall.pky

[Madcapjack]

I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google

Re:I just Googled uninstall.pky

[Madcapjack]

Of course, using Google as a measure of this is problematic as it depends on Google updating their records. I've noticed that it doesn't include slashdot in their results...Next day, 10:24am Poland, still count is at 28. maybe i'll try another search engine.

Props to the White Hats

[Sergeant+Beavis]

Its nice to see some people just looking to do some good.

Don't worry...

[new+death+barbie]

...they'll get another chance on the duplicate posting...

wtf is going on here?

[Ender+Ryan]

Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

They also didn't "hack" geocities like some have suggested...

I dunno, I just don't see anything wrong here.

Re:wtf is going on here?

[BenjyD]

> If someone broke into your house, would you mind
>if a friendly neighbor quietly quietly followed
>them in and escorted the intruder out?

As long as the neighbour doesn't accidentally knock that priceless Ming vase on my mantlepiece over on the way out...

Re:wtf is going on here?

[Have+Blue]

Indeed... It's not like the virus writer was ethical either. I'd file this under the computer equivalent of hot pursuit; emergency response teams sometimes do need to break some laws to enforce others.

Re:wtf is going on here?

My neighbor should call the police and let them handle it. Consider if that friendly neighbor decided to shot the criminal through a window.

That's what sucks about analogies; you can make whatever point you want. It's quite possible that this code on Geocities could destroy someone's files. No likely, but possible. That's why vigilantism is a bad idea.

Is it ever ok to modify someone's computer without their permission? I say no. It's my computer stay out.

Oh, I think ISP's should automatically cut worm infected machines off the net, but it should say so in the EULA first.

Re:wtf is going on here?

[httptech]

More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

It's called "Crossing the Line: Ethics for the Security Professional"

Re:wtf is going on here?

[Ender+Ryan]

What if there are no police available, or none competent enough to handle the situation.

Besides, the situation is partly your fault in the first place for leaving your front door wide open.

Ok, enough with the analogies.

Is it ever ok to modify someone's computer without their permission? I say no. It's my computer stay out.

But they're not modifying your computer in the first place, the virus is initiating it.

If they had written an exploit that installs itself onto peoples' computers and checks for viruses, etc., then it might be different. But that's not what they did.

Re:wtf is going on here?

Regardless, the intent of the neighbor is more important than the outcome.

Re:wtf is going on here?

[bheerssen]

wtf is a orker? And why on earth would you do that to a cow?

Re:wtf is going on here?

As every induhvidual knows: http://c2.com/cgi/wiki?CowOrker

Re:wtf is going on here?

[Twid]

I think the real issue is legal liability. Quality Assurance is hard enough for big companies with established testing departments. There is no way that they people involved in writing the Fizzer uninstaller could test even a small percentage of existing configurations out in-the-wild.

So, there is a real risk that the fizzer uninstaller might actually damage computers or delete data. When you're messing with files and registries on someone's hard drive, anything can happen. One small typo in the script, or one weird configuration that you didn't predict, and someone's hard drive could be toast and they will be looking for you.

While the writers of fizzer might be hard to find, the writers of the fizzer uninstaller are likely named security professionals that are easy to locate. So they are taking a huge risk of a lawsuit if anything goes wrong with the uninstaller.

I wouldn't do what they have done. The personal liability is far too great.

Re:wtf is going on here?

The aim of the fizzer uninstaller is to create the %windir%\uninstall.pky file. This is a 0 byte file. Fizzer checks that it exists, and if it does, it turns itself off. The "uninstaller" doesn't do anything else.

http://tinyurl.com/bqqe

Could be done better...

[rulethirty]

Instead of spawning an uninstall-executable perhaps this should spawn a quick harmless executable that will start an Internet Explorer process directing victims to a website warning that they indeed have this trojan and what action they can take to remove it... My $.02...

Re:Could be done better...

[mdfst13]

If I had this worm, I would find the uninstall-executable less intrusive than starting up IE and sending me to a web site. The uninstall only affects the worm's operation. What you are recommending is further cracking my box (admittedly, the box is already cracked, but why go farther). As you are then taking active effort to crack my box, I would regard that as illegal.

An analogy. I regard this as the equivalent of walking by a a car with its windows down in the rain and rolling them up. It's just good citizenship. What you are suggesting is more along the lines of triggering the garage door opener, walking in, and leaving a note saying that the windows are down. Not only is it more intrusive, but it still lets the car get wetter while you are doing it and while you are waiting for people to find your note (which they may do immediately or not). Not to mention the fact that the worm affects other computers more than your computer.

My $.02

Re:Could be done better...

[lifey]

Oh yeah, that would work. I click on those banner ads all the time that blink YOU HAVE A VIRUS or YOUR SOFTWARE IS OUT DATE... Don't you??

I like the idea of using a worms auto-update feature against it. Seriously, would you follow a pop-up that just magically appeared out of no where? Or just look for the little [X].

Re:Could be done better...

I use Mozilla. What is a banner ad?

Re:Could be done better...

[Moonshadow]

The worm contains uninstall routines. All the "uninstall executable" does is create a file with the appropriate name in the appropriate directory. The worm them picks up this file and uninstalls itself. The file that the worm is now downloading is NOT a traditional uninstaller, but rather, is a simple file creation app. It just creates the blank file and the worm kills itself. It's clearly the cleanest, fastest, easiest solution.

Very nice explanation...

No real message, I just think your right on.

Re:Finally!

Previous post is funny. Message for moderators who don't get it: "No spice for you!!"

So...

[angst7]

I guess you could say the whole thing just sort of ... fizzled.

*cough*

---
Jedimom.com, choo choo choosing you.

Re:Finally!

I'm rolling in the floor laughing. Not.

Sorry, but DUNE just plain sucked so badly that it's hard to find that funny. What I -do- find funny is how SciFi thinks people will watch a series based on it. HAHAHAHAHAHAHA!

I remember when SciFi showed Science Fiction programming. Now they show fraud shows like that peepee John Edwards. Who watches that cheap drivel?

*sigh* the bean counters have ruined life for everyone!

Helpfully

[SEWilco]

In fact, most states have "Good Samaratin" laws...

You know, the source for that phrase is from a popular book. If you use the phrase you should have read it, just as if you want to use "Round up the usual suspects" or "I feel pretty and witty and bright", you should view the source so you know the context and inferences. If you read it you should have learned the proper spelling. Or maybe you have only read it in the original Hebrew and Greek.

And I'm just trying to help. :-)

Re:Helpfully

Fuck you christian swine

Re:Helpfully

[spanky1]

You know, the source for that phrase is from a popular book.

Harry Potter?

Re:Helpfully

Not Harry Potter. The man said POPULAR.

I suppose that your confusion was understandable; he should have said something like: ``Most popular book in human history, with more copies printed, distributed and read than any other, and translated into far more languages than any other, by a VERY wide margin.''

Not Harry P., and not even Lord of the Rings (which was a better tale, and far better literature).

Re:Helpfully

The swine did not say the book should be used as a guide to life, only that a phrase from it should be used correctly. And you missed a comma.

Pedantic ethic in a vaccuum...

[xinit]

I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

Re:Pedantic ethic in a vaccuum...

If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

No, don't move them and call for help. They are very unlikely to bleed to death from a head injury and you will do more damage than good. I hope you understand now, but I doubt it.

Re:Pedantic ethic in a vaccuum...

[ceejayoz]

If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

Exactly... nice analogy. :-)

Re:Pedantic ethic in a vaccuum...

Wow. Way to fucking miss the point.

Re:Pedantic ethic in a vaccuum...

Well, there have been plenty of cases where the courts acknowledged people's right to refuse medical treatment, so I'm not so sure that it will always be OK to patch up somebody's wounds without their permission.

Re:Pedantic ethic in a vaccuum...

[Paradise+Pete]

Wow. Way to fucking miss the point.

I'd say it's you who missed the point. His point is that believing you are doing the right thing is not good enough. You may be mistaken, and in your zeal do more harm than good.

If it's OK

[goldcd]

for them to put code on the web page - then surely the original holder of the page has the right to put whatever they wanted on the page.

But 3 Lefts Do!

[Greyfox]

The two evils in question:

1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

Re:But 3 Lefts Do!

[Asgard]

Has there ever been a documented case where an electrical utility's operations (not just their website) have been affected by the internet?

Re:But 3 Lefts Do!

[Greyfox]

Not that I'm aware of but I attended a short security presentation a while back and the guy doing the presentation expressed a great deal of concern about water systems. Apparently the control units they use to move water around in the system are built by only a couple of companies and do not usually have any sort of authentication at all. They're intended to be plugged in to a leased line but more and more water districts are discovering that intrnet connections are cheaper. As time goes by this sort of danger becomes more prevalent. Even a DDOS on the right control system at the right time could cause a flood.

Discounting the possibility of such attacks simply because one hasn't happened yet is opening yourself to a huge risk. You want to prevent someone from shutting down a major power grid or water control center. After the fact prevention costs lives. I would hope that someone's evaluating these vital systems for such vulnerabilities... but I'm not willing to bet money (or my life) on it.

I'll stand by my opinion that this ounce of prevention (disabling the worm from its update site) is completely justified.

intent matters

[theLOUDroom]

It depends on the purpose. I used the example of parking in front of a hydrant for a reason.

If you park in front of a hydrant, it's legal for the firemen to smash your windows and run the hose though your car, even if it's just to teach you a lesson and they could have gone around it.
It is not okay to go around smashing car windows just because you want to, even if you find a car parked in front of a hydrant.

Re:intent matters

[dnoyeb]

Negligence has nothing to do with purpose. They could have good intentions, but if it is shown that they inadequently tested their *fix* they could be found negligent.

The fire hydrant is a little bit of a bad example. The reason it is illegal to part in front of the hydrant in the first place is the same reason the car was damaged. It would be different if it were just a regular no parking zone, and the fireman smashes the windows there because he needed to.

Re:intent matters

What I want to know is, what if they install the fire hydrant while you're parked there, then smash your windows ?

That is, it wasn't there when you first parked your car there, 4 weeks ago.

Re:intent matters

That's because there is a *specific* law dealing with the case of a car parked in front of a fire hydrant. And it's still wrong.

Re:intent matters

welcome to America.

This is happening more and more often. Just today, I heard on the radio about a law in Seattle putting independent garbage collectors out of business with a fiat law. Never trust a car from the country that invented fascism.

Hey, unfair!

[Black+Parrot]

> The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys.

Why didn't they provide a UNIX version, too?

Good Samaritan?

[Bob9113]

If they cracked it, this would be very illegal.

Agreed that this is the most likely outcome in the current legal system. Should it not be the case though, that this action would be protected by the same laws that protect people performing the Heimlich Maneuver?

"Gained Control"?

[nurb432]

I hope they didnt hack the page.. thats opening themselves up wide for legal problems.

and no i didnt RTFA.. incase that was answered there.

Re:"Gained Control"?

[$0+31337]

Why the hell would you think that they hacked the website? Virus propogating software is forbidden by geocities terms of service hence geocities probably discontinued the account which allowed the fizzer task force to recreate it and put their own software in fizzers place. I quote from the TOS:

(h) upload, post or otherwise transmit any material that contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of any computer software or hardware or telecommunications equipment;

So hence, a violation of the TOS occured and Yahoo/Geocities had the right to do pretty much whatever they wanted.

Seems similar to RIAA requests...

[dnoyeb]

This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is.

I mean this in the context of the Geocities web page. Do they have permission to alter the contents of that page??

Solution is elegant, but lets be consistent and understand the implications.

Re:Seems similar to RIAA requests...

[ceejayoz]

They most likely contacted Geocities and asked for access to the account so they could stop the worm.

Re:Seems similar to RIAA requests...

[Washizu]

"This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is."

DRM itself isn't wrong, it's just a technology. Government mandated DRM is wrong because it eliminates the choice of using it or not. I don't see how that relates to this situation at all, since no laws say people have to have the Fizzer installed.

Re:Seems similar to RIAA requests...

[Zaknafein500]

They're just putting a file out on a web page. It's people's choice (since they chose to become infected) to download and execute it. More power to the team. A nice way of eradicating a nuisance.

Re:Seems similar to RIAA requests...

[MillionthMonkey]

Wow. Is this what it takes to get any sort of response from Geocities?

I set up a Geocities page in 1997. After they were bought by Yahoo, my password stopped working and I haven't been able to delete the page in years- which sucks because it's embarrassing to have a page with the digging man GIF in 2003. Geocities is unresponsive. I guess the solution is to release a worm that checks to see if the page is still there!

Does anybody have a copy of Fizzer? I have to edit one of its resource strings and post that baby on KaZaa.

Re:Seems similar to RIAA requests...

[Moonshadow]

What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

Pure genius, really.

Mad props, Reddog. :)

-- Antiarc

Re:Seems similar to RIAA requests...

[Moonshadow]

Yes, there is a binary out there. It's also encrypted (PE compressed, actually) - I doubt you have the resources to decrypt it and alter the binary. The people hacking on it were able to find the strings it contained by infecting their own machines and using WinHex to stroll through RAM. If we'd been able to decrypt it, things would have been a lot easier.

Re:Seems similar to RIAA requests...

[dnoyeb]

For those who missed the point, the issue is their access to the Geocities webpage, nothing more nothing less.

Re:Seems similar to RIAA requests...

[budgenator]

just have fizzer click the ad banner on the way through... that'll get their attention. that would be like /.ing doubleclick

Great idea! Next let's...

[MongooseCN]

Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.

Re:Great idea! Next let's...

[Sanga]

Maybe it will make this guy happy. Discussion here

innoculation

[baldass]

so.. if I were to put a script on my machine in say the /c/winnt/system32/cmd.exe?/c+dir that would innoculate against code red would this be legal? Assuming I knew how to do this..... I still get 30 of these requests a day in my log....

definitely a good thing.

[theflea]

After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

Re:definitely a good thing.

And here an understanding of viruses wouldn't help, since it's a worm and not a virus.

Re:definitely a good thing.

[theflea]

Uh, I guess I just proved my own point. It makes me dumb and insightful all at once! From now on I'm going to start reading my spam that says I'm continuously broadcasting an IP number. Yikes, that sounds scary.

Re:definitely a good thing.

[Kredal]

Or you could just disable the messenger service in msconfig -> services, and not get those "broadcasting IP" popups anymore.

Brilliant

[Orclover]

This is a brilliant cure by a brilliant team, may they handle all future challenges as efficiently. Hey Mcaffee try pulling that trick outa yer ass.

Re:Brilliant

[Moonshadow]

Agreed.

Awesome work, #fizzer guys. Mad props to Reddog and the others involved for the fix!

-- Antiarc

Re:Finally!

[Baby_with_a_nailgun]

Previous post is funny. Message for moderators who don't get it: "No spice for you!!"

And I thought it was from the song 'Weapon Of Choice' by Fatboy Slim. The video has Christopher Walken flying in it.

No more fizzer

[aztektum]

until the Pfizer worm comes around and then we're all in for a hard time

i got nothin' this morning

Patch just released

[Phantasmo]

Server administrators who are afraid of becoming infected again by another, similar worm should install this patch immediately.

Seriously, though - just how many of these things have to happen before people start considering that Windows is less-than perfect?

Re:Patch just released

windoz is not perfect!!!!!!its not perfect omg windoz is falling!!!!!!!!

Obsolete Discussion

This was posted elsewhere before this discussion even started:

>From: "James Herbert"
>
>Update: The file has now been removed >for "testing".
>
>I.E. we don't think the code is being executed. :
>
>Also, apparently the "update routine" on Fizzer >only runs once a day, though that's totally >unconfirmed.

FreeNet-Based Updates?

Hold on now... that could be used to increase the breadth of the FreeNet network graph, improving FreeNet response time and efficiency. Hey! I'm all for that. Finally, a way to put all those Windows boxes and surplus bandwidth to use.

Information minister jokes are so last week (nt)

[Chuck+Chunder]

There really is no (useful) text.

Suitable end

Worms who live by the URL shall die by the URL...

Well, finally...

[Lane.exe]

Someone thought of something useful to do with the MS Update code.

Something wrong here?

[Monofilament]

Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

Educate me please.. I'm kinda confused here.

Re:Something wrong here?

[insanecarbonbasedlif]

Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

Educate me please.. I'm kinda confused here.

Prepare to be educated.

The site was not set up until a member of the Fizzer task force got ahold of it. So - the worm was not updating itself from the website in order to keep itself alive - it was kept alive (should we get into the debate of living-non-living? naw... I think its dead, but let's roll with this euphamism.) by the *electricity* in the computers it had infected. Very much like tradiational computer virii.

Thou hast been learned...

Re:Something wrong here?

[Monofilament]

Ok still confused. Where did the website come into play and who had it before the fizzer task force?

From how i understand it now..(maybe I'm wrong).. its not that they got the worm to uninstall itself.. it would be closer to say that they created a Fizzer variant that is now spreading (or could spread itself) to eradicate the Fizzer worm itself.. kinda like an anti-fizzer worm..

Re:Something wrong here?

[insanecarbonbasedlif]

The username had not been registered yet, and as such, before the fizzer task force got it, no one had it. It was hardcoded into the worm as the URL it would use to get updates.

What they attempted to do (and aren't actually attempting right now, until they figure out more about the worm) is put up a file that would cause any worm getting updates to uninstall itself. So, the update does not spread, but just kills the worms that look for it.

Re:Something wrong here?

[Monofilament]

ahha .. thanks .. now i get it.

Fizzer is not Curious Yellow, but it's close.

[nounderscores]

as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.

And I worked out how to kill it in a post in the Curious Yellow Discusion.

subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

we've been warned folks. What are we going to do about it?

Re:Fizzer is not Curious Yellow, but it's close.

[bj8rn]

...subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

I read about the Fizzer worm in the newspapers today and began to wonder if a truly self-modifying worm could be built. (Note that if the following sounds ridiculous or something, it's because I'm not actually a hacker or anything...)

Could the mechanism of how real viruses and bacteria reproduce be applied to computer viruses? So that every time the virus reproduces (spreads to another computer), it makes some changes to its code, or every once in a while adds something new (if lucky, a new ability). This would make the propagation of the virus slower, but the virus would be harder to detect (or, most probably, I just don't know enough about anti-virus programs). It would be a real Darwinist virus - only the fittest survive...

Re:Fizzer is not Curious Yellow, but it's close.

[Moby-One+GNUbie]

I do know there are cases of accidental "mutation" in older .EXE/.COM infectors. This was believed due to inaccurate transmission over a modem line, flipping a bit or some such. Of course, most such viruses once damaged in this way don't work, but a few continued to do so with little change in their behaviour.

I would say the problem with applying real Darwin-like evolution in computer worms is simply that there aren't enough hosts. Therefore, I think it's probable that there's not enough room for random changes to be useful often enough for the evolution of new "species". My guess would be that computers compare well to cells in being attacked by virii/worms. Even a computer worm capable of infecting everything attached to the internet would only have a paltry 171 million victims to experiment with. In comparison, a single human has 6*10^13 cells potentially susceptable to living viruses!

Of course, the day when IPv6 & Bluetooth enabled nanobots are embedded in my deodorant may get us to a number of hosts sufficient for such experiments...

Re:Fizzer is not Curious Yellow, but it's close.

[bj8rn]

I'm sure there are more than 171 million computers connected to the net - the ISC only counts the domains, not counting the numerous home computers and subnets (correct me if I'm wrong). Also, a virus can infect the same computer several times. Bacteria have viruses, too, and they only have a single cell. Of course, compared to colonies of bacteria, the net is still very small, but the first real viruses had to start somewhere...

how is this ok and code green wasn't?

[dougnaka]

For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

Looks like it's better to ask forgiveness than seek permission.

Re:how is this ok and code green wasn't?

[dougnaka]

FYI, Code green was more like code red in that it actively scanned for vulnerable servers... but there were other ones that listened for code red attacks then counter-attacked and patched... can't find any now... work and all...

Re:how is this ok and code green wasn't?

[AnotherScratchMonkey]

It's more like Crclean, which patches the system and then passively waits for connections from more infected systems.

Register article on Code Green and Crclean (includes links to Security Focus messages with attached source code)

Re:

[TrebleJunkie]

• 
  All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
  
  Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
  

Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.

Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.

Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.

So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.

Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.

Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.

But, it's the whole road to hell/good intentions pavement thing. Eh.

it's the same guy

[anythings-possible-b]

watch this : http://http://science.slashdot.org/article.pl?sid= 03/05/16/1256213&mode=thread&tid=134&tid=98&tid=99
-
ah!

But won't Micro$oft get upset when...

[linuxwrangler]

their update site converts all those machines to Linux?

worm should have used DRM kind of stuff.

[Luzumsuz+Lazim]

Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...

Geocities should have auctioned it.

[nortcele]

Geocities should have put access to the page up for sale to the highest bidder. I am sure their EULA would have allowed for that. Then all the anti-virus companies could bid for it. (However, we know that some James Bond villain would have won the bid.)

Legal concept: spoliation of evidence

Releasing Fizzer may be a crime in some jurisdictions. The registry
changes made by Fizzer may constitute evidence of this crime. A
potential concern is whether this distribution of uninstall.pky could
lead to destroying relevant evidence. People may want to consult the
legal literature about "third-party spoliation of evidence".

So...

Does this mean it's fizzling?

Re:

[ukyoCE]

I think you're flat-out wrong. Motive (and results) are very important.

If a burglar drops his gun, and you pick it up and shoot the burglar, that is a good (and usually legal) thing. If you pick up the gun and shoot the bank teller, you're gonna fry. That should be obvious.

Using an exploit to remove the exploit is a pretty good idea. Of course it should be tested beforehand, and shouldn't do anything risky (like deleting infected files). In this case they said all it does is remove the registry keys that Fizzer adds. That isn't a very risky thing to do, and I'm sure they still tested it beforehand.

What they did is perfectly legal and a very good idea for everyone involved. This isn't at all similar to the RIAA using an exploit to delete your files, or Microsoft using their own program to subvert security on your computer.

Weeping quietly

[macguiguru]

(but really sounds like laughter)

The distinction

[pineappleboy]

How is automatically downloading an antivirus any more legal or ethical than automatically downloading a virus without user permission?

This antivirus would only become illegal and unethical if it did any form of harm/disruption to the computers in question. That's where the "law boundary" is crossed in this case.

Virus makers get prosecuted primarily for damage or disruption to networks and computers. That's different to this case, where a single virus is requesting instructions, and then deleting/nullifying itself as a result. As many of the other posters have pointed out, it's the computers requesting the data from the server.

Provided the requested information is docile, and the senders did nothing to forcibly implant the request program on the home computer, it is entirely legal. It's a lot similar to many browsers zipping to MSN.com as their home page, because people don't know how to change it around.

Dare I say it?

[daemonc]

So now this worm will just Fizzle out?

not stale, I was laughing out loud

Really, we should encourage more information minister trolls.

Re:not stale, I was laughing out loud

[quintessent]

I missed the IM jokes last week, so it was very funny to me too.

+1 Exactly Right [!TextBelow]

[eugene+ts+wong]

m

If only...

[AUsBandit]

we could windows xp to do this......

Hehe

[Fizzl]

Damn. Thanks... I'm bored to death, sitting in a bus.
That was the best punchline i've seen in a long time =)

AWESOME...

[oaf357]

Talk about Revenge of the Nerds.

This is absolutely astonishing that a group of people that have never even cared about anything other than their servers/channels can come together and absolutely annihilate a worm of this magnitude.

I proves that teamwork can accomplish great things regardless of the circumstances.

Right idea, wrong URL.

[AnotherBlackHat]

They should have taken over this one ;)

-- this is not a .sig

Re:Right idea, wrong URL.

no need to take over windoz up date sight with virus trojin worm atach the last three crutical update patches from microsucks killed 7% of the machines that were updated if they were running norton av. the reson microsucks did this was becuase as we all know all majore soft ware makers write viruses the release in copys of there wares on kazaa exspecaly windoz. and this is done to stop piracy. but nortons to vilagent and efiseant at cleaning these corperate wrote viruses and was told by microsucks to tone down the eficeant removel of thw corprate writen viruses. they did not heed. and microsucks next patches were aimed at disableling slowing down or makeing unstable a certian percentage of machines running norton.
put you trust in microsucks!!!!!!!!!!!!!!!!

Does this mean?

[harborpirate]

Does this mean the Fizzer worm is going to Fizzer out?

wakka wakka wakka!

Windows UPDATE

Sounds similar?

Err

If the virus is on YOUR machine, it is YOUR responsibility to get rid of it. These people aren't crawling into any holes on your system, it's your machine that's digging itself into one.

Your argument is akin to saying it should be illegal to dispose of medicine in the trash bin, because some crazed derelict might dig in your trash and OD on them.

Re:Err

[TrebleJunkie]

No, what I'm saying is akin to saying it should be illegal to sneak into someone's house (by ANY means), open their medicine cabinet (by ANY means), and replace their heart medication (by ANY means) with a different medication (by ANY means) because _you_ think that's what's best for them (by ANY means).

That's what I'm saying.

And, guess what.... It IS illegal to do just that, be we talking about medication OR computer systems.

These folks found a way (*cough* exploit!) to get arbitrary code (*cough* exploit!) onto a user's PC without their knowledge (*cough* exploit!), and execute it (*cough* exploit!) because _they_ thought it was best for that user's PC. (By ANY means.) But it was, is, and ever shall be NOT UP TO THEM TO MAKE THAT CALL.

Had it been a corportation, had it been the government, had it been Microsoft, you'd all be screaming bloody murder. You *should* be screaming bloody murder _now_. RIAA doesn't know what's best for you. Microsoft doesn't know what's best for you. The government doesn't know what's best for you. Certainly, a group of IRC white-hats don't know what's best for you either.

Re:

[TrebleJunkie]

On the contrary. It is *exactly* the same as what RIAA wants to do.

To use your own words, was these guys did was use an exploit "to subvert security on" people's computers.

Just because their intentions were good, doesn't mean they had legal grouds to do so.

I hope they sue

I really hope some one sues them over this posting of code on the web page. This is unauthorized access to a computer. It isn't that I want them to be punished, obviously they shouldn't and what they are doing is right, but it isn't legal. This is the best possible test case you are going to get to show stupid people in congress not to pass laws about things they don't understand, and in the process fucking things up.

Re:

[MegaHamsterX]

No, the RIAA does not know where my mp3s came from, they are making an assumption they are illegal, if I had shared the mp3s out and the RIAA positively knew one of them I was sharing wasn't legal, then that would be a different story as I would be causing a monetary loss for them, but since I'm not breaking something by sharing, the most reasonable thing would be to take me to court.

In the case of fizzer, it is causing damage to the IRC network, maybe a bot should be created so every abusive computer is noted and the ISP is petitioned to remove their rights to access the Internet for being careless, most people don't think security applies to them, most people don't believe virus checkers are necessary, these are the same people who use condoms to prevent unintended consequences, they are careless, maybe we should give them a class in the use of a virus checker, break out banannas and everything :-)

can anyone say "honeypot"?

dumb nerds

I don't think so...

[Ender+Ryan]

I disagree with you 100%. They are not forcing this fix upon anyone, it is the existing worm that is going to download and run this uninstaller.

Also, I believe you are overstating the potential for damage by a large degree. Deleting a couple files and registry keys is an extremely simple process, and should pose no danger to any machines. Should the registry get corrupted during the key removal, that would really be the fault of windows, not the program itself, as programs don't directly access the registry.

Could they be taken to court? Sure, but you can take anyone to court for anything. Would they win, probably. Should they win, definately.

And if it's personal liability you're concerned with, why complain? They're only jeopardizing themselves, not you.

Morally, I think it's equivalent to giving CPR to someone who was in an accident. We have good samaritan laws to protect such people these days.

Cheers!

Re:I don't think so...

[Twid]

as i said, they are creating files and manipulating the registry, there is always potential for damage. For example, they could make a simply typo, or the virus itself could contain "black ice" that detects if someone is trying to delete it and causes more damage.

and they are forcing the fix on people, in that the people running their fix are not opting into it in any way.

read the other posts in this thread about "code green" which faced similar issues. I think the liability risk is very real.

And if it's personal liability you're concerned with, why complain? They're only jeopardizing themselves, not you.

if we're only allowed to make comments on slashdot about things which personally affect us, it's going to be a pretty barren place. :)

Re:Finally!

[Ryan+C.]

And I thought it was from the song 'Weapon Of Choice' by Fatboy Slim.

It was, but the lyric was a reference to Dune. Probably the concept of voice being his weapon of choice was also tied to this reference.

-Ryan C.

zerg

[Lord+Omlette]

Am I the only one who read the story and immediately thought, "You know, next time they release a worm, they'll just make it check for updates from freenet or kazaa or something..."?

So what you're saying, then...

[The+Fink]

is that the worm was a Fizzer?

Thanks, I'll be here all week.

Just Forget Windows

Ever since I loaded linux all thouse problems just disapeared.

Kinda like a Calm seat away from the action but close enough to watch the mahem.

Linux , The Future of operating systems

Frig been 1 year and 4month and 16 days , as soon as I got dreamweaver to run in wine.. that was it.. Don't care to be bugged by Microsoft again!

A "better" solution?

[Jumperalex]

A lot of people seem to have a problem with the fact that the "white hats" have placed code in such a manner that it will be executed on a persons machine. Laudable though the intent may be there are problems with this method.

So I was thinking, if there was a way to instead notify the user that they are infected and offer them the link to download and execute the leaner code. [shrug] obviously the hard part is notifying. Windows Messaging is turned off by a lot of folks but usually the type of folks that wouldn't catch fizzer anyway [shrug]. Is it possible to pop open their browser with a page telling them?

Anyway it would certainly seem like a less objectionable solution, if possible, than having code auto executed on their machine; even "good" code.

The race for Starvation

[IBitOBear]

Interestingly this becomes a race for starvation. As soon as the black-hat realizes, and he will (thanks slashdot! 8-), that one of the URLs has been "infected" with the counter agent, he will make the counter-counteragent...

Comming soon: the black-hat update that removes the white-hat counter-agent site from the list of update sites in the virus, posted to one-or-more of the update sites.

It will be interesting to see which starves out first, and to what degree. The number of infected computers or the number of hits on the counter-agent site.

Signatures?

[p00ya]

I'm surprised the 'black-hat' didn't use a key pair to sign the updates. I guess it would bloat the virus up a bit, but it would stop the spread of a "counter-virus".

Florida: land of the fucked-up Ashcroft

[Quietti]

Florida is a fucked-up state. News at 9/11.

Making it stronger

If you let some threads remain then the virus will grow even stronger and become anti-virus-resistant. Perhaps the creator of the virus already anticipated this. We are all doomed.

ircd on windows?

[Pooh]

What?? When I first heard of this worm, I tought it was some kind of bug in ircd daemon that affect many if not all Unix target.
So, Undernet.org run IRC server on Windows.

I understand how it lag so much and all users are just bunch of script kiddy and hiphop listening, trend follower and wannabehacker low-life.

Which just goes to show...

[fm6]

...that the difference between "legal" and "illegal" is often a matter of who you know!

Legal/Ethical Aspects

[Chatmag]

This is not competent legal advise, just my understanding as a publisher, and a person who has been involved in the Internet for over 10 years. I will be in contact with a lawyer familiar with Internet law, if nothing else, just for my own education.

The infected user first downloaded Fizzer embedded within another file, presumably either on KaZaa, or via email attachment. KaZaa posts their Terms of Service, which includes the statement that any user understands they may also receive other files not included in any posting of file names, that is, they may also download malicious or other unwanted files, and that they do so at their own risk. At that point, should the user choose to download and run files, they have given their consent and assume responsibility.

Once the infected file is downloaded and opened, installing it into their computer, the infected file has a "call home" feature written into it by the author of Fizzer, which periodically allows the program to access a remote server to automatically update itself. There are many instances of legal programs which also have this feature, so the notion of a program "calling home" is generally understood to be an accepted action. (My HP does that, or did, until I disabled the port it uses) The program would then download any updates posted on the server, at the IP that is set within the program routine itself. This falls into the "implied consent" rule, as the user is allowing the program to do as it was intended.

In the case of the original Fizzer author, the intention was to give a malicious program updates which would sustain the operation of the program, causing further harm to other users and networks. By accessing the Geocities site, as provided within the Fizzer, and replacing the update with another series of commands that in effect disable Fizzer, any person placing such files would reasonably be acting within the original intent of the Fizzer author, that is to say, supplying updates to the existing program. That the update causes Fizzer to become disabled is of little consequence, as the user has by implied consent allowed any and all further modifications to be implemented to Fizzer. While it is the intent of the original author to cause harm, the persons responsible for the modification which in effect shuts down Fizzer are acting on the premise that they are doing so for the good of all.

The original Fizzer author also built into Fizzer the ability to connect to various IRC networks, and join particular chat rooms, in order to be further controlled by remote command. The end user, having consented to downloading and installing Fizzer, therefore by implied consent, agrees to allow any and all commands to be issued to their computer via said IRC channels. One example of remote cleaning of computers can be found at http://housecall.antivirus.com

The long and the short of it is, no one is "modifying" any computer, they are only carrying out the original authors intent of updating Fizzer. That it in effect causes Fizzer to cease to be of further harm is of benefit to all, and would be seen in most courts as an action for the common good. I am aware of several other less publicized actions taken of the same sort, this being the first of its kind as far as coverage by media. It is more a matter of ethics rather than a legal issue, I believe. Ethically, I think it is justified.

I think it is an innovative, and proper solution to a problem and may have far reaching effects beyond disabling one malicious program. The actions taken do raise legal issues, and with Internet Law a new field, quite a lot of what we do is new to the legal profession, and the law will adapt to this new medium, for the most part, borrowing from current legal precedents.

On another point, it would be fairly simple to track the original Fizzer author, Geocities should have the IP of whoever first set up the site. I can only hope they are cooperating with investigative agencies.