Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fizzer Worm Uninstalling Itself

Posted by CowboyNeal on from the sigh-of-relief dept.

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

29 of 434 comments (clear)

  1. Huh? by keesh · · Score: 2, Interesting

    They're intentionally running code on peoples' machines without their permission?

    1. Re:Huh? by Anonym0us+Cow+Herd · · Score: 5, Interesting

      It would have been smarter for the worm to verify a signature on the code it downloads

      Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

      The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

      Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

      Finally, you had better not be shown to have the private key when the bad guys come knocking.

      --
      The price of freedom is eternal litigation.
    2. Re:Huh? by Erasmus+Darwin · · Score: 2, Interesting
      "So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable."

      Except that they went out of their way to delibrately place this executable where they knew an automated process (which was almost certainly installed without user consent) would execute it from. While I agree with the notion of trying to clean up the Fizzer worm, it's possible they may be going about in a way that's less than legal (despite a lack of harm being done).

    3. Re:Huh? by Keebler71 · · Score: 3, Interesting

      Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

      --
      "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
    4. Re:Huh? by Nogami_Saeko · · Score: 4, Interesting

      And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

      Let's try another analogy then:

      Let's say that you are just an average person going in to get a flu-shot at the doctor.

      The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

      The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

      How do you feel?

      --
      "Nothing strengthens authority so much as silence." - Charles de Gaulle
  2. wtf? by User+956 · · Score: 1, Interesting

    Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

    --
    The theory of relativity doesn't work right in Arkansas.
    1. Re:wtf? by kiwimate · · Score: 2, Interesting

      Being that these people are running code on their machine that they have no clue they're actually running...

      Exactly. As opposed to Windows Update, which (coincidentally) was vilified just yesterday on these hallowed pages, and will prompt you to allow the update unless you've explicitly turned it off.

      Oh wait...

    2. Re:wtf? by calethix · · Score: 2, Interesting

      " Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?"

      I don't know why this is modded as flamebait. I think it's a perfectly valid question. Especially with all the people on slashdot that complain about Windows Update breaking more things than it fixes.

      I agree that this now self worm is a good thing and I don't really know what exactly it does but what if there's some infected computer that the fix has an adverse effect on? Are they going to be liable for it?

    3. Re:wtf? by Anonymous Coward · · Score: 1, Interesting

      It would be nice if the worm removal code emitted an obvious message to the system owner to let them know they have at least one problem.

    4. Re:wtf? by Proaxiom · · Score: 3, Interesting
      All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

      RIAA's counterpoint:
      All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

      Is there a difference here?

      Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

      However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

  3. Hacked into Geocities? by Salamanders · · Score: 5, Interesting

    ...now control the update page...

    At what point does the vigalante hacking become acceptable when fighting against Something Bad?

    If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

    1. Re:Hacked into Geocities? by rillian · · Score: 3, Interesting

      If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

      People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

      Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

  4. Quota? by 42forty-two42 · · Score: 4, Interesting

    Why isn't the geocities site saying it's 'bandwith exceeded' or something?

  5. Nice.. by Komarosu · · Score: 3, Interesting

    Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
  6. Ansivirus companies' advice by 42forty-two42 · · Score: 4, Interesting
    From the F-Secure page:
    The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

    Uninstall.pky

    When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
    [...]

    To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:
    Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...
  7. Re:wow by ch-chuck · · Score: 2, Interesting

    If it's done by an 'official' security agency with govt. approval then it's ethical, if it's done by a netizen vigilante group then it's not ethical - just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

    --
    try { do() || do_not(); } catch (JediException err) { yoda(err); }
  8. Re:Full Text of Article by Realistic_Dragon · · Score: 2, Interesting

    But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it?

    Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

    Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

    Indeed, I have little pitty for anyone who chooses to use IE.

    --
    Beep beep.
  9. DMCA violation? by dcavanaugh · · Score: 3, Interesting

    Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

    Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

  10. Props to the White Hats by Sergeant+Beavis · · Score: 3, Interesting

    Its nice to see some people just looking to do some good.

    --
    There is nothing inherently safe about liberty. That's why so many people died protecting it.
  11. But 3 Lefts Do! by Greyfox · · Score: 3, Interesting
    The two evils in question:

    1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

    2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

    IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

    I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  12. Re:wow by Zak3056 · · Score: 2, Interesting

    Want to show a case proving this? Even vaguely?

    There was an instance about two months ago of a man whose apartment was on fire running into the burning building to save his dog. The fire department had the police arrest him.

    The FD did not want to enter the building because it was too hot/dangerous, and wanted to let the hoses cool things down a bit at first (a perfectly sane decision, IMHO, since there was no human life at stake.) The pet owner didn't like that idea, so took matters into his own hands.

    The reason for his arrest is he "put the lives of firefighters and others at risk" by his "reckless" actions.

    Not EXACTLY what the original poster was talking about, but fairly close.

    --
    What part of "shall not be infringed" is so hard to understand?
  13. Re:Seems similar to RIAA requests... by ceejayoz · · Score: 3, Interesting

    They most likely contacted Geocities and asked for access to the account so they could stop the worm.

  14. Re:Pedantic ethic in a vaccuum... by Anonymous Coward · · Score: 1, Interesting
    If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

    No, don't move them and call for help. They are very unlikely to bleed to death from a head injury and you will do more damage than good. I hope you understand now, but I doubt it.

  15. Re:wtf is going on here? by httptech · · Score: 4, Interesting
    More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

    An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

    It's called "Crossing the Line: Ethics for the Security Professional"

  16. Re:Pedantic ethic in a vaccuum... by Anonymous Coward · · Score: 1, Interesting

    Wow. Way to fucking miss the point.

  17. Re:Full Text of Article by zogger · · Score: 2, Interesting

    No "vigilantes" have not been rejected, not even close. I can hire a private security guard, and I can also band together with my neighbors for mutual self defense. If I see an obvious stranger breaking into my neighbors house, I can go over and stop him, OR call the cops, OR both. and ESPECIALLY if 'government" has proven itself over and over again to be ineffectual, like they once again have shown here. and what's the alternative, do you REALLY want a huge new bureaucracy of government cyber cops, beyond what we have now? I sure don't, I'd rather leave the net alone, let the victims be able to FIGHT BACK.

    It's just the word got hijacked by the pansy PC police. People are too scared for self defense any more, a lot of them anyway, they want nanny government to always be there for them. Government has it's place, but it's not the entire total solution to crime.

    In this instance and other instances, government is 20 years behind when it comes to dealing with spam, viruses, etc. Ya, they passed a few laws, whoopedy zing, they haven't stopped any crime,they haven't stopped or even cleaned up one virus or worm that I am aware of, except off their own computers, at best, government usually just reacts to crime after the fact, and most of the time they don't even get that right.

    Frankly, I'd like to see open relays that are hijacked treated this way, maybe a screen pops up HEY, QUIT SENDING ME SPAM, MORON!

    then maybe people would start to take more proactive measures with their computers, or demand the OS and app vendors to do a better job.

    Maybe, don't know, but if someone hacks me,or infects my box, I claim the right to fight back, to use whatever self defense is at my disposal, same as when I am out and about on the street. these poor IRC people are doing all they can do, or should a worm writer have the right to just destroy their networks?

    I don't see any problem with this thing, none, good for them to do something actually effective. Same as spamming spammers, tough luck for those nimrods.

    I LIKE good old fashioned in your face instant karma justice, I LIKE to be "vigilant". If we had more of it, there would be less crime. People talk about the old "wild wild west", but if you research it, with only a few exceptions it had much less crime than what we have now, the only difference is, the crime fighting was mostly done by the victims. It's not perfect, but nothing else is either, is it?

  18. Re:Seems similar to RIAA requests... by Zaknafein500 · · Score: 1, Interesting

    They're just putting a file out on a web page. It's people's choice (since they chose to become infected) to download and execute it. More power to the team. A nice way of eradicating a nuisance.

    --

    "The guide is definitive, reality is frequently inaccurate."
  19. Re:Seems similar to RIAA requests... by Moonshadow · · Score: 3, Interesting

    What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

    Pure genius, really.

    Mad props, Reddog. :)

    -- Antiarc

  20. Re:Seems similar to RIAA requests... by Moonshadow · · Score: 2, Interesting

    Yes, there is a binary out there. It's also encrypted (PE compressed, actually) - I doubt you have the resources to decrypt it and alter the binary. The people hacking on it were able to find the strings it contained by infecting their own machines and using WinHex to stroll through RAM. If we'd been able to decrypt it, things would have been a lot easier.