Slashdot Mirror
Fizzer Worm Uninstalling Itself
boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."
Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.
We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..
We'll keep you updated..
Regards,
--
John McGarrigle
IC5 Networks
Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.
The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.
Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.
We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.
Next time try doing a little research (like asking in the IRC channel) before posting.
Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.
No. You are not running the code. The worm downloads
:-(
it from the site and runs it. You are just making the code available.
On the other hand, according to a more recent report, this method does not seem to work for far for the fizzler worm
---- join dshield.org Distributed Intrusion Detec
Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.
From http://www.livejournal.com/users/kalyan/84241.html
Not exactly.
All I want is a kind word, a warm bed and unlimited power.
That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)
Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.
My submission:
2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)
In one, a man jumped up(!) to a burning second story building to rescue a trapped dog that was barking for help.
In the second, a man rescued a person.
In both cases, they were arrested, and it made the local news. Now admittedly, they may (and probably will) be aquitted, but this is not the point.
-dave-
Use BearShare for all your p2p needs!
The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
They didn't install anything on anyone's machine. They put something on a website. End of story.
Yes it does, if I kill someone because I dislike them, that's murder. If I kill them because they were trying to kill me, that's self-defence. The only difference here is my intent.
There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
More interesting, that guy is simply wrong. He lists the page as being:
http://www.geocities.com/spkyupdate/upd1.jpg
when in FACT the page is:
http://www.geocities.com/updatesparky/sp1.7ls
Of course, the detective work I had to do to locate this information consisted of READING THE COMMENTS from the actual page you linked to.
Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.
And I worked out how to kill it in a post in the Curious Yellow Discusion.
subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.
we've been warned folks. What are we going to do about it?
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.
Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.
Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.
So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.
Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.
Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.
But, it's the whole road to hell/good intentions pavement thing. Eh.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
FYI, Code green was more like code red in that it actively scanned for vulnerable servers... but there were other ones that listened for code red attacks then counter-attacked and patched... can't find any now... work and all...
My Linux Command of the Day site : LCOD
For those who missed the point, the issue is their access to the Geocities webpage, nothing more nothing less.
There is one documented case of HIV transmition through mouth to mouth. the carrier had severe periodontal disease,(bleading gums)
Apocalypse Cancelled, Sorry, No Ticket Refunds