Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fizzer Worm Uninstalling Itself

Posted by CowboyNeal on from the sigh-of-relief dept.

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

15 of 434 comments (clear)

  1. Hacked into Geocities? by Salamanders · · Score: 5, Interesting

    ...now control the update page...

    At what point does the vigalante hacking become acceptable when fighting against Something Bad?

    If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

    1. Re:Hacked into Geocities? by rillian · · Score: 3, Interesting

      If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

      People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

      Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

  2. Quota? by 42forty-two42 · · Score: 4, Interesting

    Why isn't the geocities site saying it's 'bandwith exceeded' or something?

  3. Nice.. by Komarosu · · Score: 3, Interesting

    Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
  4. Ansivirus companies' advice by 42forty-two42 · · Score: 4, Interesting
    From the F-Secure page:
    The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

    Uninstall.pky

    When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
    [...]

    To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:
    Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...
  5. DMCA violation? by dcavanaugh · · Score: 3, Interesting

    Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

    Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

  6. Props to the White Hats by Sergeant+Beavis · · Score: 3, Interesting

    Its nice to see some people just looking to do some good.

    --
    There is nothing inherently safe about liberty. That's why so many people died protecting it.
  7. But 3 Lefts Do! by Greyfox · · Score: 3, Interesting
    The two evils in question:

    1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

    2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

    IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

    I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  8. Re:Huh? by Anonym0us+Cow+Herd · · Score: 5, Interesting

    It would have been smarter for the worm to verify a signature on the code it downloads

    Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

    The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

    Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

    Finally, you had better not be shown to have the private key when the bad guys come knocking.

    --
    The price of freedom is eternal litigation.
  9. Re:wtf? by Proaxiom · · Score: 3, Interesting
    All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

    RIAA's counterpoint:
    All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

    Is there a difference here?

    Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

    However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

  10. Re:Seems similar to RIAA requests... by ceejayoz · · Score: 3, Interesting

    They most likely contacted Geocities and asked for access to the account so they could stop the worm.

  11. Re:wtf is going on here? by httptech · · Score: 4, Interesting
    More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

    An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

    It's called "Crossing the Line: Ethics for the Security Professional"

  12. Re:Huh? by Keebler71 · · Score: 3, Interesting

    Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

    --
    "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
  13. Re:Huh? by Nogami_Saeko · · Score: 4, Interesting

    And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

    Let's try another analogy then:

    Let's say that you are just an average person going in to get a flu-shot at the doctor.

    The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

    The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

    How do you feel?

    --
    "Nothing strengthens authority so much as silence." - Charles de Gaulle
  14. Re:Seems similar to RIAA requests... by Moonshadow · · Score: 3, Interesting

    What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

    Pure genius, really.

    Mad props, Reddog. :)

    -- Antiarc