Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fizzer Worm Uninstalling Itself

Posted by CowboyNeal on from the sigh-of-relief dept.

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

46 of 434 comments (clear)

  1. Re:Huh? by Washizu · · Score: 5, Insightful

    No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

    --
    OddManIn: A Game of guns and game theory.
  2. Re:Huh? by Solidblu · · Score: 4, Insightful

    They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.

  3. wow by j0nb0y · · Score: 5, Insightful
    nice hack.


    Now the computer security community gets to have a big debate over whether this was ethical or not...

    --
    If you had super powers, would you use them for good, or for awesome?
    1. Re:wow by Zathrus · · Score: 5, Insightful

      just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

      Want to show a case proving this? Even vaguely?

      In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

      I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

      In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

    2. Re:wow by 241comp · · Score: 2, Insightful

      I'm not sure if you heard the entire story. The reason he was arrested was because there were firefighters in the entrance to the house and he broke a window (I believe - or opened one) to get in. This sudden additional inlet of air could have caused a backdraft-type situation (think about the movie). He endangered the firefighters lives by doing that - all for a dog which the firefighters themselves probably could have saved. It was reckless disregard for the safety of the firefighters. Heck, if someone put your life in serious danger at work while you were saving their personal property wouldn't you want them to be arrested?

      --
      Full-Featured GPL Web Hosting Control Panel
  4. Gateway to Thousands of Machines by bjb · · Score: 5, Insightful
    Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

    I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

    --
    Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
    1. Re:Gateway to Thousands of Machines by Ryan+Amos · · Score: 3, Insightful

      My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.

  5. Re:wtf? by SComps · · Score: 5, Insightful

    Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

    Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

    The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

    --
    The world according to SComps
  6. Re:Nice.. by Loosewire · · Score: 4, Insightful

    i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.

    --
    Slashdot - The one stop shop for procrastination
  7. Re:wtf? by BigBir3d · · Score: 2, Insightful

    2 wrongs != right

    It is up to the user to fix this stuff, not some IRC dork that wants to prove his/her mad skillz to the world.

  8. Re:Full Text of Article by Urkki · · Score: 5, Insightful

    But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

  9. Do you mean? by codepunk · · Score: 1, Insightful

    Like remove windows?

    --


    Got Code?
  10. Re:wtf? by theLOUDroom · · Score: 4, Insightful

    Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

    Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.

    All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

    Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.

    Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

    Think of it this way:

    1. The remote computer goes: "What do I do?"
    2. The server goes: "Well, since you're asking, I think you should do this."

    There's no stolen password, and there's no exploit needed.

    Here's another example:

    I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.

    IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?

    Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.

    --
    Life is too short to proofread.
  11. Re:wtf? by JohnFluxx · · Score: 2, Insightful

    Of course 2 wrongs can make a right.

    Imagine you were in the bizarre situation where you had to shoot a terrorist to stop him from blowing up the entire world, killing everyone.

    It is wrong to kill - but in this situation surely it would be right to.

  12. Re:wtf? by WPIDalamar · · Score: 3, Insightful

    That's not 2 wrongs. It's 1 wrong that avoids another.

    2 Wrongs would be if the terrorist blew up the world, so then you kill him.

    I guess 1 wrong can make a right!

  13. I just Googled uninstall.pky by Madcapjack · · Score: 2, Insightful

    I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google

    --
    Logic, macros, and more
  14. wtf is going on here? by Ender+Ryan · · Score: 5, Insightful
    Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

    If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

    They also didn't "hack" geocities like some have suggested...

    I dunno, I just don't see anything wrong here.

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
  15. Could be done better... by rulethirty · · Score: 2, Insightful

    Instead of spawning an uninstall-executable perhaps this should spawn a quick harmless executable that will start an Internet Explorer process directing victims to a website warning that they indeed have this trojan and what action they can take to remove it... My $.02...

    1. Re:Could be done better... by mdfst13 · · Score: 2, Insightful

      If I had this worm, I would find the uninstall-executable less intrusive than starting up IE and sending me to a web site. The uninstall only affects the worm's operation. What you are recommending is further cracking my box (admittedly, the box is already cracked, but why go farther). As you are then taking active effort to crack my box, I would regard that as illegal.

      An analogy. I regard this as the equivalent of walking by a a car with its windows down in the rain and rolling them up. It's just good citizenship. What you are suggesting is more along the lines of triggering the garage door opener, walking in, and leaving a note saying that the windows are down. Not only is it more intrusive, but it still lets the car get wetter while you are doing it and while you are waiting for people to find your note (which they may do immediately or not). Not to mention the fact that the worm affects other computers more than your computer.

      My $.02

    2. Re:Could be done better... by Moonshadow · · Score: 2, Insightful

      The worm contains uninstall routines. All the "uninstall executable" does is create a file with the appropriate name in the appropriate directory. The worm them picks up this file and uninstalls itself. The file that the worm is now downloading is NOT a traditional uninstaller, but rather, is a simple file creation app. It just creates the blank file and the worm kills itself. It's clearly the cleanest, fastest, easiest solution.

  16. Re:wtf? by Dr_Willie_Feelgood · · Score: 2, Insightful
    People who didn't allow their computers to become 0wnz0red in the first place won't have to worry about it; and frankly, people who did deserve any adverse effects that may occur

    Wrong answer! Try again!

    By your theory, anyone who forgets to lock the door to their house deserves to get robbed.

  17. Pedantic ethic in a vaccuum... by xinit · · Score: 5, Insightful
    I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

    Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

    If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

    --
    --- http://foo.ca
  18. Re:Hacked into Geocities? by aonaran · · Score: 3, Insightful

    Would you mind if some stranger came along and pulled the weeds out of your garden?

    I would. I wanted those weeds there, dandelion makes a good salad.

  19. Seems similar to RIAA requests... by dnoyeb · · Score: 3, Insightful

    This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is.

    I mean this in the context of the Geocities web page. Do they have permission to alter the contents of that page??

    Solution is elegant, but lets be consistent and understand the implications.

    1. Re:Seems similar to RIAA requests... by Washizu · · Score: 3, Insightful

      "This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is."

      DRM itself isn't wrong, it's just a technology. Government mandated DRM is wrong because it eliminates the choice of using it or not. I don't see how that relates to this situation at all, since no laws say people have to have the Fizzer installed.

      --
      OddManIn: A Game of guns and game theory.
  20. Re:wtf? by theLOUDroom · · Score: 3, Insightful

    First off, can we get some whitespace? Please?

    Good intention does not turn an illegal act into something legal.

    Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws for example. Go ahead, Control-F, type "intent".

    --
    Life is too short to proofread.
  21. innoculation by baldass · · Score: 1, Insightful

    so.. if I were to put a script on my machine in say the /c/winnt/system32/cmd.exe?/c+dir that would innoculate against code red would this be legal? Assuming I knew how to do this..... I still get 30 of these requests a day in my log....

  22. Re:wtf? by Fulcrum+of+Evil · · Score: 2, Insightful

    It is wrong to kill

    Obviously not. If someone is trying to kill me, I am well within my rights to kill him first. It is only murder that is wrong.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  23. definitely a good thing. by theflea · · Score: 5, Insightful

    After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

    Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

    As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

  24. Re:Full Text of Article by Urkki · · Score: 3, Insightful
    Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

    I guess that would make them liable to pay damages if their removal code did some damage, and doing something like that is sticking their necks out to be chopped off. Which makes them either unselfish and brave, or stupid.

    Too bad there really isn't any "real-world" analogy for this case... I'm having hard time deciding if they did wrong or right. I guess I consider myself to be enough of an anarchist that I must support this kind of positive activism ;)

  25. Re:Huh? by secolactico · · Score: 4, Insightful

    Especially Freenet.

    Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.

    Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

    This was the idea behind the Curious Yellow concept. It was featured on Slashdot a while ago.

    --
    No sig
  26. Re:wtf? by BigBir3d · · Score: 2, Insightful

    I was referring to unrequested code being run on computers on my network. Fizzer_bad and Fizzer_good should not be there. And there is no verification that Fizzer_good is actually that. Sounds like the perfect way to launch spyware with everyone saying "thank you, may I have another."

  27. Re:wtf? by ceejayoz · · Score: 3, Insightful

    That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.

  28. Re:Huh? by Anonymous Coward · · Score: 1, Insightful

    Unfortunately, by the same argument...

    the telnet daemon runs login, login runs a shell, and the shell executes the code.

  29. Re:*Sigh* by connorbd · · Score: 2, Insightful

    Though admittedly "Digital Copyright Millennium Act" is perfectly accurate...

    (mod self -1, Silly) /Brian

  30. Something wrong here? by Monofilament · · Score: 3, Insightful

    Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

    I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

    Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

    Educate me please.. I'm kinda confused here.

    --


    Who makes you Sig?
  31. how is this ok and code green wasn't? by dougnaka · · Score: 5, Insightful
    For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

    Looks like it's better to ask forgiveness than seek permission.

    --
    My Linux Command of the Day site : LCOD
  32. Re:Huh? by Anonymous Coward · · Score: 4, Insightful

    This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?

    Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.

  33. Re:Full Text of Article by sjames · · Score: 2, Insightful

    How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

    Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

    That is, the worm presents a danger to other people's property (servers) and it's a good bet that anyone having it would sincerely like it to be gone. Anyone who WANTS the worm to remain, AND hasn't isolated it from the rest of the net is necessarily deliberatly spreading it, and so is guilty of a felony.

  34. worm should have used DRM kind of stuff. by Luzumsuz+Lazim · · Score: 3, Insightful

    Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...

  35. Re:Huh? by Nightpaw · · Score: 1, Insightful

    How do you feel about fire trucks running red lights?

  36. Re:Full Text of Article by sjames · · Score: 2, Insightful

    But they don't have implied permission, they have explicit permission from an elected government (at least here). In this case the people doing this are akin to a band of vigilantes, something that civilised socienties all over the world have rejected in the real world.

    They are more like a volunteer fire department. In the absense of an appropriate civil authority, sometimes, citizens must get together to do the appropriate thing.

    Vigilanteism is an act of ignoring an existant and appropriate civil authority in order to take independant action.

  37. Legal concept: spoliation of evidence by Anonymous Coward · · Score: 1, Insightful

    Releasing Fizzer may be a crime in some jurisdictions. The registry
    changes made by Fizzer may constitute evidence of this crime. A
    potential concern is whether this distribution of uninstall.pky could
    lead to destroying relevant evidence. People may want to consult the
    legal literature about "third-party spoliation of evidence".

  38. Re: by ukyoCE · · Score: 2, Insightful

    I think you're flat-out wrong. Motive (and results) are very important.

    If a burglar drops his gun, and you pick it up and shoot the burglar, that is a good (and usually legal) thing. If you pick up the gun and shoot the bank teller, you're gonna fry. That should be obvious.

    Using an exploit to remove the exploit is a pretty good idea. Of course it should be tested beforehand, and shouldn't do anything risky (like deleting infected files). In this case they said all it does is remove the registry keys that Fizzer adds. That isn't a very risky thing to do, and I'm sure they still tested it beforehand.

    What they did is perfectly legal and a very good idea for everyone involved. This isn't at all similar to the RIAA using an exploit to delete your files, or Microsoft using their own program to subvert security on your computer.

  39. Re:wtf? by theLOUDroom · · Score: 3, Insightful
    OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense? Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

    In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.

    In the situation at hand neither of these things is happening. The worm is looking for an .exe at foo.com, and it's getting an .exe at foo.com. The people aren't tricking the computers into coming there or executing anything. These computers we already scheduled to visit the site and execute whatever's there before they ever got involved.

    they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

    Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.

    If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?

    I wouldn't be suprised if this method was totally legal.
    1. If they were SSHing into the infected machines, you could consider that unauthorized access, but that's not happening. All they're doing is placing a file on a geocities page. The HTTP client/server thing is pretty clear, besides they don't even control the server. Even if you try and argue that the geocities server is accessing the client, the task force isn't in control of it.
    2. If they were IP spoofing or redirecting traffic, that would probably be illegal, but that's not happening.
    3. If they were taking advantage of a buffer overflow, or some other exploit to accomplish this, that would be illegal. Not so.
    4. If there was an intent to do harm, then knowingly putting the program there to do so would probably be illegal. Not happening either.


    How about this: Why don't you try and tell me what law you think they're actually breaking?

    Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.
    --
    Life is too short to proofread.
  40. Re:Huh? by Chump1422 · · Score: 3, Insightful

    I am a law student, and that post is missing some important facts. The police would have to have a warrant to search your HD, no matter if Zonelabs let them or not. As for the other two scenarios, they can happen right now. It's a matter of contract law and whether or not the EULA allows it and will stand up in court.

    Be realistic. They're not hijacking your computer. They're removing a virus.

    Don't rely on this advice, though. I am just a student.