Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fizzer Worm Uninstalling Itself

Posted by CowboyNeal on from the sigh-of-relief dept.

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

116 of 434 comments (clear)

  1. Huh? by keesh · · Score: 2, Interesting

    They're intentionally running code on peoples' machines without their permission?

    1. Re:Huh? by Washizu · · Score: 5, Insightful

      No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

      --
      OddManIn: A Game of guns and game theory.
    2. Re:Huh? by Solidblu · · Score: 4, Insightful

      They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.

    3. Re:Huh? by Albanach · · Score: 5, Informative

      Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

    4. Re:Huh? by scalis · · Score: 5, Funny

      Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!

      --

      True ravers don't need drugs
    5. Re:Huh? by UnderAttack · · Score: 2, Informative

      No. You are not running the code. The worm downloads
      it from the site and runs it. You are just making the code available.

      On the other hand, according to a more recent report, this method does not seem to work for far for the fizzler worm :-(

      --
      ---- join dshield.org Distributed Intrusion Detec
    6. Re:Huh? by Ed+Avis · · Score: 4, Funny

      It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.

      --
      -- Ed Avis ed@membled.com
    7. Re:Huh? by Anonymous Coward · · Score: 2, Funny

      As you state, it was done without lace from any mall. I believe it was also done without mallets, mallards, malaprops, and mallrats.

    8. Re:Huh? by WPIDalamar · · Score: 5, Funny


      Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!

      Of course, I'd love to see that author try to sue someone over it.

      Cracker: He stole my virus.
      Judge: I award you $1000 in damages, and 20 years in jail.

    9. Re:Huh? by Anonym0us+Cow+Herd · · Score: 5, Interesting

      It would have been smarter for the worm to verify a signature on the code it downloads

      Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

      The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

      Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

      Finally, you had better not be shown to have the private key when the bad guys come knocking.

      --
      The price of freedom is eternal litigation.
    10. Re:Huh? by Erasmus+Darwin · · Score: 2, Interesting
      "So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable."

      Except that they went out of their way to delibrately place this executable where they knew an automated process (which was almost certainly installed without user consent) would execute it from. While I agree with the notion of trying to clean up the Fizzer worm, it's possible they may be going about in a way that's less than legal (despite a lack of harm being done).

    11. Re:Huh? by secolactico · · Score: 4, Insightful

      Especially Freenet.

      Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.

      Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

      This was the idea behind the Curious Yellow concept. It was featured on Slashdot a while ago.

      --
      No sig
    12. Re:Huh? by nocomment · · Score: 4, Funny

      FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.

      --
      /* oops I accidentally made a comment, sorry */
      /* http://allyourbasearebelongto.us */
    13. Re:Huh? by facelessnumber · · Score: 5, Funny

      Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"

      ...Would you click it?

    14. Re:Huh? by Tuna_Shooter · · Score: 2, Funny

      I'm just wondering why someone doesnt release a "Fizzer" - "Code-Red" type of worm that will actually FIX some of Redmond's holes..... seems kinda logical dont ya think ???

      --
      *--- Sometimes a majority only means that all the fools are on the same side. ---*
    15. Re:Huh? by Anonymous Coward · · Score: 4, Insightful

      This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?

      Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.

    16. Re:Huh? by apdt · · Score: 4, Funny


      Hmmm... yes, it seems as though this is opening a can of worms...


      Sorry, I couldn't resist it.

      --
      I lay awake last night wondering where the sun had gone, then it dawned on me.
    17. Re:Huh? by Keebler71 · · Score: 3, Interesting

      Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

      --
      "It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
    18. Re:Huh? by Nogami_Saeko · · Score: 4, Interesting

      And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

      Let's try another analogy then:

      Let's say that you are just an average person going in to get a flu-shot at the doctor.

      The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

      The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

      How do you feel?

      --
      "Nothing strengthens authority so much as silence." - Charles de Gaulle
    19. Re:Huh? by dhaines · · Score: 2, Funny

      How do you feel?
      Glad that I drink bottled water.

    20. Re:Huh? by Chump1422 · · Score: 3, Insightful

      I am a law student, and that post is missing some important facts. The police would have to have a warrant to search your HD, no matter if Zonelabs let them or not. As for the other two scenarios, they can happen right now. It's a matter of contract law and whether or not the EULA allows it and will stand up in court.

      Be realistic. They're not hijacking your computer. They're removing a virus.

      Don't rely on this advice, though. I am just a student.

  2. In other News... by lukew · · Score: 5, Funny

    The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.

  3. Full Text of Article by insomnike · · Score: 5, Informative

    Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
    now control the update page, and have posted a mirror of the
    http://www.debugoutput.com/fizzer.php site on the geocities website that
    fizzer uses to update itself.

    We have also postted a fizzer cleaner to the actual URL that the bot
    downloads its updates from, as a self extracting and running executable.
    We're crossing our fingers that the bots are looking for an executable
    to update themselves..

    We'll keep you updated..

    Regards,

    --
    John McGarrigle
    IC5 Networks

    1. Re:Full Text of Article by Realistic_Dragon · · Score: 3, Informative

      How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

      I applaud the sentiment, but do the ends justify the means? I don't think Joe Slashdotter would be too happy with the idea of enforced antivirus affecting _his_ PC, for example if the government mandated it, because you can be sure that that precident would soon be followed by anti-piracy, anti-crypto, anti-free-speech, anti-everything-else in short order.

      I suppose you could argue that 'we aren't inserting the data ourselves, we just made it available' - but that's little more than sophistry.

      --
      Beep beep.
    2. Re:Full Text of Article by Malfourmed · · Score: 2, Funny
      we now control the update page, and have posted a mirror on the geocities website that fizzer uses to update itself.
      All your pages are belong to us.
      --
      a world in progress...
    3. Re:Full Text of Article by Urkki · · Score: 5, Insightful

      But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

    4. Re:Full Text of Article by Realistic_Dragon · · Score: 2, Interesting

      But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it?

      Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

      Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

      Indeed, I have little pitty for anyone who chooses to use IE.

      --
      Beep beep.
    5. Re:Full Text of Article by Urkki · · Score: 3, Insightful
      Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

      I guess that would make them liable to pay damages if their removal code did some damage, and doing something like that is sticking their necks out to be chopped off. Which makes them either unselfish and brave, or stupid.

      Too bad there really isn't any "real-world" analogy for this case... I'm having hard time deciding if they did wrong or right. I guess I consider myself to be enough of an anarchist that I must support this kind of positive activism ;)

    6. Re:Full Text of Article by sjames · · Score: 2, Insightful

      How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

      Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

      That is, the worm presents a danger to other people's property (servers) and it's a good bet that anyone having it would sincerely like it to be gone. Anyone who WANTS the worm to remain, AND hasn't isolated it from the rest of the net is necessarily deliberatly spreading it, and so is guilty of a felony.

    7. Re:Full Text of Article by sjames · · Score: 2, Insightful

      But they don't have implied permission, they have explicit permission from an elected government (at least here). In this case the people doing this are akin to a band of vigilantes, something that civilised socienties all over the world have rejected in the real world.

      They are more like a volunteer fire department. In the absense of an appropriate civil authority, sometimes, citizens must get together to do the appropriate thing.

      Vigilanteism is an act of ignoring an existant and appropriate civil authority in order to take independant action.

    8. Re:Full Text of Article by zogger · · Score: 2, Interesting

      No "vigilantes" have not been rejected, not even close. I can hire a private security guard, and I can also band together with my neighbors for mutual self defense. If I see an obvious stranger breaking into my neighbors house, I can go over and stop him, OR call the cops, OR both. and ESPECIALLY if 'government" has proven itself over and over again to be ineffectual, like they once again have shown here. and what's the alternative, do you REALLY want a huge new bureaucracy of government cyber cops, beyond what we have now? I sure don't, I'd rather leave the net alone, let the victims be able to FIGHT BACK.

      It's just the word got hijacked by the pansy PC police. People are too scared for self defense any more, a lot of them anyway, they want nanny government to always be there for them. Government has it's place, but it's not the entire total solution to crime.

      In this instance and other instances, government is 20 years behind when it comes to dealing with spam, viruses, etc. Ya, they passed a few laws, whoopedy zing, they haven't stopped any crime,they haven't stopped or even cleaned up one virus or worm that I am aware of, except off their own computers, at best, government usually just reacts to crime after the fact, and most of the time they don't even get that right.

      Frankly, I'd like to see open relays that are hijacked treated this way, maybe a screen pops up HEY, QUIT SENDING ME SPAM, MORON!

      then maybe people would start to take more proactive measures with their computers, or demand the OS and app vendors to do a better job.

      Maybe, don't know, but if someone hacks me,or infects my box, I claim the right to fight back, to use whatever self defense is at my disposal, same as when I am out and about on the street. these poor IRC people are doing all they can do, or should a worm writer have the right to just destroy their networks?

      I don't see any problem with this thing, none, good for them to do something actually effective. Same as spamming spammers, tough luck for those nimrods.

      I LIKE good old fashioned in your face instant karma justice, I LIKE to be "vigilant". If we had more of it, there would be less crime. People talk about the old "wild wild west", but if you research it, with only a few exceptions it had much less crime than what we have now, the only difference is, the crime fighting was mostly done by the victims. It's not perfect, but nothing else is either, is it?

  4. wow by j0nb0y · · Score: 5, Insightful
    nice hack.


    Now the computer security community gets to have a big debate over whether this was ethical or not...

    --
    If you had super powers, would you use them for good, or for awesome?
    1. Re:wow by ch-chuck · · Score: 2, Interesting

      If it's done by an 'official' security agency with govt. approval then it's ethical, if it's done by a netizen vigilante group then it's not ethical - just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

      --
      try { do() || do_not(); } catch (JediException err) { yoda(err); }
    2. Re:wow by Zathrus · · Score: 5, Insightful

      just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

      Want to show a case proving this? Even vaguely?

      In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

      I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

      In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

    3. Re:wow by Zak3056 · · Score: 2, Interesting

      Want to show a case proving this? Even vaguely?

      There was an instance about two months ago of a man whose apartment was on fire running into the burning building to save his dog. The fire department had the police arrest him.

      The FD did not want to enter the building because it was too hot/dangerous, and wanted to let the hoses cool things down a bit at first (a perfectly sane decision, IMHO, since there was no human life at stake.) The pet owner didn't like that idea, so took matters into his own hands.

      The reason for his arrest is he "put the lives of firefighters and others at risk" by his "reckless" actions.

      Not EXACTLY what the original poster was talking about, but fairly close.

      --
      What part of "shall not be infringed" is so hard to understand?
    4. Re:wow by 241comp · · Score: 2, Insightful

      I'm not sure if you heard the entire story. The reason he was arrested was because there were firefighters in the entrance to the house and he broke a window (I believe - or opened one) to get in. This sudden additional inlet of air could have caused a backdraft-type situation (think about the movie). He endangered the firefighters lives by doing that - all for a dog which the firefighters themselves probably could have saved. It was reckless disregard for the safety of the firefighters. Heck, if someone put your life in serious danger at work while you were saving their personal property wouldn't you want them to be arrested?

      --
      Full-Featured GPL Web Hosting Control Panel
    5. Re:wow by vDave420 · · Score: 2, Informative
      just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing. Want to show a case proving this? Even vaguely?
      Withint the last two weeks here in Miami Florida, there were two seperate instances of this on the news.

      In one, a man jumped up(!) to a burning second story building to rescue a trapped dog that was barking for help.

      In the second, a man rescued a person.

      In both cases, they were arrested, and it made the local news. Now admittedly, they may (and probably will) be aquitted, but this is not the point.

      -dave-

      Use BearShare for all your p2p needs!

      --
      The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
    6. Re:wow by budgenator · · Score: 2, Informative

      There is one documented case of HIV transmition through mouth to mouth. the carrier had severe periodontal disease,(bleading gums)

      --
      Apocalypse Cancelled, Sorry, No Ticket Refunds
  5. Gateway to Thousands of Machines by bjb · · Score: 5, Insightful
    Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

    I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

    --
    Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
    1. Re:Gateway to Thousands of Machines by Ryan+Amos · · Score: 3, Insightful

      My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.

  6. Re:wtf? by SComps · · Score: 5, Insightful

    Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

    Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

    The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

    --
    The world according to SComps
  7. Hacked into Geocities? by Salamanders · · Score: 5, Interesting

    ...now control the update page...

    At what point does the vigalante hacking become acceptable when fighting against Something Bad?

    If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

    1. Re:Hacked into Geocities? by Anonymous Coward · · Score: 4, Informative

      We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.

      Next time try doing a little research (like asking in the IRC channel) before posting.

    2. Re:Hacked into Geocities? by 42forty-two42 · · Score: 4, Funny
      Next time try doing a little research (like asking in the IRC channel) before posting.
      You're new here, aren't you?
    3. Re:Hacked into Geocities? by rillian · · Score: 3, Interesting

      If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

      People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

      Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

    4. Re:Hacked into Geocities? by aonaran · · Score: 3, Insightful

      Would you mind if some stranger came along and pulled the weeds out of your garden?

      I would. I wanted those weeds there, dandelion makes a good salad.

  8. *Sigh* by cperciva · · Score: 5, Funny

    When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

    If you're going to write a worm, do it right.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:*Sigh* by will_die · · Score: 5, Funny

      You just go the simple route, include an EULA saying that doing this is against the DCMA.
      Then sue.

    2. Re:*Sigh* by connorbd · · Score: 2, Insightful

      Though admittedly "Digital Copyright Millennium Act" is perfectly accurate...

      (mod self -1, Silly) /Brian

  9. Quota? by 42forty-two42 · · Score: 4, Interesting

    Why isn't the geocities site saying it's 'bandwith exceeded' or something?

  10. outrageous by circletimessquare · · Score: 5, Funny

    as a compassionate human being i find this outrageous

    to use the innate homing behavior of a wild natural creature like this virus against it...

    to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

    do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

    is there no compassion on the internet?

    outrageous

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  11. Nice.. by Komarosu · · Score: 3, Interesting

    Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

    --

    "What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
    1. Re:Nice.. by Loosewire · · Score: 4, Insightful

      i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.

      --
      Slashdot - The one stop shop for procrastination
  12. No, this is different by Sycraft-fu · · Score: 4, Informative

    The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.

    Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.

  13. Fact Checking by Brightest+Light · · Score: 5, Informative
    Nicely done, Slashdot!

    Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

  14. Ansivirus companies' advice by 42forty-two42 · · Score: 4, Interesting
    From the F-Secure page:
    The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

    Uninstall.pky

    When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
    [...]

    To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:
    Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...
    1. Re:Ansivirus companies' advice by andkaha · · Score: 2, Funny
      Unfortunately, this won't work on XP (which has no DOS box), so you're forced to use notepad or something which will append .txt to the end of any file, and then you have to go into explorer and rename it, hope to god that the user won't get scared by the "if you change the file extention, this file name not be usuable anymore" warning, and so on.

      Just name it "Uninstall.pky" (including the double quotes) in Notepad.

      I never thought that I would give a Windows tip... shudder...

      --
      It's 11pm, do you know what your deamons are up to?
    2. Re:Ansivirus companies' advice by httptech · · Score: 4, Informative
      Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

      That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)

      Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.

      My submission:

      2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)

  15. Re:wtf? by BigBir3d · · Score: 2, Insightful

    2 wrongs != right

    It is up to the user to fix this stuff, not some IRC dork that wants to prove his/her mad skillz to the world.

  16. the worm has proved itself to be a new lifeform by andy666 · · Score: 4, Funny

    so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?

    (see star trek for more on this topic....)

  17. Somound needs to be more creative... by Anonymous Coward · · Score: 5, Funny

    I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...

  18. Re:wtf? by kiwimate · · Score: 2, Interesting

    Being that these people are running code on their machine that they have no clue they're actually running...

    Exactly. As opposed to Windows Update, which (coincidentally) was vilified just yesterday on these hallowed pages, and will prompt you to allow the update unless you've explicitly turned it off.

    Oh wait...

  19. Re:wtf? by Kingsly · · Score: 4, Informative

    Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.

    From http://www.livejournal.com/users/kalyan/84241.html

    Pretty Interesting because this site does not exist and the username was never created with Yahoo!.
  20. Good thing Symantec.... by caffeinex36 · · Score: 5, Funny

    ...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

    -Rob

  21. Great! by varjag · · Score: 2, Funny

    While they are at it, could they also made worm install some simple firewall and anti-viral software at user's marchines?

    --
    Lisp is the Tengwar of programming languages.
  22. Re:wtf? by calethix · · Score: 2, Interesting

    " Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?"

    I don't know why this is modded as flamebait. I think it's a perfectly valid question. Especially with all the people on slashdot that complain about Windows Update breaking more things than it fixes.

    I agree that this now self worm is a good thing and I don't really know what exactly it does but what if there's some infected computer that the fix has an adverse effect on? Are they going to be liable for it?

  23. Well... by High+Hat · · Score: 2, Funny

    ... what about doing this to Windows Update?

  24. Re:wtf? by Smallpond · · Score: 4, Funny


    Fizzer uninstaller:

    format c:

    I don't see any adverse effects.

  25. Re:wtf? by theLOUDroom · · Score: 4, Insightful

    Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

    Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.

    All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

    Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.

    Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

    Think of it this way:

    1. The remote computer goes: "What do I do?"
    2. The server goes: "Well, since you're asking, I think you should do this."

    There's no stolen password, and there's no exploit needed.

    Here's another example:

    I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.

    IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?

    Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.

    --
    Life is too short to proofread.
  26. DMCA violation? by dcavanaugh · · Score: 3, Interesting

    Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

    Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

  27. Re:wtf? by JohnFluxx · · Score: 2, Insightful

    Of course 2 wrongs can make a right.

    Imagine you were in the bizarre situation where you had to shoot a terrorist to stop him from blowing up the entire world, killing everyone.

    It is wrong to kill - but in this situation surely it would be right to.

  28. Just walk without a rhythm... by sopuli · · Score: 4, Funny

    Because, if you walk without a rhythm, you won't attract the worm.

  29. Re:wtf? by WPIDalamar · · Score: 3, Insightful

    That's not 2 wrongs. It's 1 wrong that avoids another.

    2 Wrongs would be if the terrorist blew up the world, so then you kill him.

    I guess 1 wrong can make a right!

  30. I just Googled uninstall.pky by Madcapjack · · Score: 2, Insightful

    I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google

    --
    Logic, macros, and more
  31. Props to the White Hats by Sergeant+Beavis · · Score: 3, Interesting

    Its nice to see some people just looking to do some good.

    --
    There is nothing inherently safe about liberty. That's why so many people died protecting it.
  32. Don't worry... by new+death+barbie · · Score: 2, Funny

    ...they'll get another chance on the duplicate posting...

    --

    It's supposed to be completely automatic, but actually you have to press this button.

  33. wtf is going on here? by Ender+Ryan · · Score: 5, Insightful
    Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

    If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

    They also didn't "hack" geocities like some have suggested...

    I dunno, I just don't see anything wrong here.

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
    1. Re:wtf is going on here? by httptech · · Score: 4, Interesting
      More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

      An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

      It's called "Crossing the Line: Ethics for the Security Professional"

  34. Could be done better... by rulethirty · · Score: 2, Insightful

    Instead of spawning an uninstall-executable perhaps this should spawn a quick harmless executable that will start an Internet Explorer process directing victims to a website warning that they indeed have this trojan and what action they can take to remove it... My $.02...

    1. Re:Could be done better... by mdfst13 · · Score: 2, Insightful

      If I had this worm, I would find the uninstall-executable less intrusive than starting up IE and sending me to a web site. The uninstall only affects the worm's operation. What you are recommending is further cracking my box (admittedly, the box is already cracked, but why go farther). As you are then taking active effort to crack my box, I would regard that as illegal.

      An analogy. I regard this as the equivalent of walking by a a car with its windows down in the rain and rolling them up. It's just good citizenship. What you are suggesting is more along the lines of triggering the garage door opener, walking in, and leaving a note saying that the windows are down. Not only is it more intrusive, but it still lets the car get wetter while you are doing it and while you are waiting for people to find your note (which they may do immediately or not). Not to mention the fact that the worm affects other computers more than your computer.

      My $.02

    2. Re:Could be done better... by Moonshadow · · Score: 2, Insightful

      The worm contains uninstall routines. All the "uninstall executable" does is create a file with the appropriate name in the appropriate directory. The worm them picks up this file and uninstalls itself. The file that the worm is now downloading is NOT a traditional uninstaller, but rather, is a simple file creation app. It just creates the blank file and the worm kills itself. It's clearly the cleanest, fastest, easiest solution.

  35. Re:wtf? by Dr_Willie_Feelgood · · Score: 2, Insightful
    People who didn't allow their computers to become 0wnz0red in the first place won't have to worry about it; and frankly, people who did deserve any adverse effects that may occur

    Wrong answer! Try again!

    By your theory, anyone who forgets to lock the door to their house deserves to get robbed.

  36. Re:wtf? by Xformer · · Score: 2, Informative

    Not exactly.

    --
    All I want is a kind word, a warm bed and unlimited power.
  37. Pedantic ethic in a vaccuum... by xinit · · Score: 5, Insightful
    I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

    Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

    If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

    --
    --- http://foo.ca
  38. But 3 Lefts Do! by Greyfox · · Score: 3, Interesting
    The two evils in question:

    1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

    2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

    IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

    I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  39. Hey, unfair! by Black+Parrot · · Score: 2, Funny


    > The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys.

    Why didn't they provide a UNIX version, too?

    --
    Sheesh, evil *and* a jerk. -- Jade
  40. Seems similar to RIAA requests... by dnoyeb · · Score: 3, Insightful

    This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is.

    I mean this in the context of the Geocities web page. Do they have permission to alter the contents of that page??

    Solution is elegant, but lets be consistent and understand the implications.

    1. Re:Seems similar to RIAA requests... by ceejayoz · · Score: 3, Interesting

      They most likely contacted Geocities and asked for access to the account so they could stop the worm.

    2. Re:Seems similar to RIAA requests... by Washizu · · Score: 3, Insightful

      "This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is."

      DRM itself isn't wrong, it's just a technology. Government mandated DRM is wrong because it eliminates the choice of using it or not. I don't see how that relates to this situation at all, since no laws say people have to have the Fizzer installed.

      --
      OddManIn: A Game of guns and game theory.
    3. Re:Seems similar to RIAA requests... by MillionthMonkey · · Score: 2, Funny

      Wow. Is this what it takes to get any sort of response from Geocities?

      I set up a Geocities page in 1997. After they were bought by Yahoo, my password stopped working and I haven't been able to delete the page in years- which sucks because it's embarrassing to have a page with the digging man GIF in 2003. Geocities is unresponsive. I guess the solution is to release a worm that checks to see if the page is still there!

      Does anybody have a copy of Fizzer? I have to edit one of its resource strings and post that baby on KaZaa.

    4. Re:Seems similar to RIAA requests... by Moonshadow · · Score: 3, Interesting

      What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

      Pure genius, really.

      Mad props, Reddog. :)

      -- Antiarc

    5. Re:Seems similar to RIAA requests... by Moonshadow · · Score: 2, Interesting

      Yes, there is a binary out there. It's also encrypted (PE compressed, actually) - I doubt you have the resources to decrypt it and alter the binary. The people hacking on it were able to find the strings it contained by infecting their own machines and using WinHex to stroll through RAM. If we'd been able to decrypt it, things would have been a lot easier.

    6. Re:Seems similar to RIAA requests... by dnoyeb · · Score: 2, Informative

      For those who missed the point, the issue is their access to the Geocities webpage, nothing more nothing less.

  41. Re:wtf? by theLOUDroom · · Score: 3, Insightful

    First off, can we get some whitespace? Please?

    Good intention does not turn an illegal act into something legal.

    Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws for example. Go ahead, Control-F, type "intent".

    --
    Life is too short to proofread.
  42. Great idea! Next let's... by MongooseCN · · Score: 3, Funny

    Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.

    --


    Outdoor digital photography, mostly in New Engl
  43. Re:wtf? by Fulcrum+of+Evil · · Score: 2, Insightful

    It is wrong to kill

    Obviously not. If someone is trying to kill me, I am well within my rights to kill him first. It is only murder that is wrong.

    --
    "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
  44. definitely a good thing. by theflea · · Score: 5, Insightful

    After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

    Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

    As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

  45. Re:wtf? by BigBir3d · · Score: 2, Insightful

    I was referring to unrequested code being run on computers on my network. Fizzer_bad and Fizzer_good should not be there. And there is no verification that Fizzer_good is actually that. Sounds like the perfect way to launch spyware with everyone saying "thank you, may I have another."

  46. No more fizzer by aztektum · · Score: 2, Funny

    until the Pfizer worm comes around and then we're all in for a hard time

    i got nothin' this morning

    --
    :: aztek ::
    No sig for you!!
  47. Re:wtf? by Proaxiom · · Score: 3, Interesting
    All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

    RIAA's counterpoint:
    All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

    Is there a difference here?

    Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

    However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

  48. Re:wtf? by ceejayoz · · Score: 3, Insightful

    That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.

  49. Re:Helpfully by spanky1 · · Score: 2, Funny

    You know, the source for that phrase is from a popular book.

    Harry Potter?

  50. Re:wtf? by clarkcox3 · · Score: 2, Informative
    Likewise, if these guys installed a hard-disk erasing program, KNOWING that infected computers would download and run it without the user even being aware of it, it would be a crime

    They didn't install anything on anyone's machine. They put something on a website. End of story.

    Good intention does not turn an illegal act into something legal.

    Yes it does, if I kill someone because I dislike them, that's murder. If I kill them because they were trying to kill me, that's self-defence. The only difference here is my intent.

    --
    There are no tiger attacks in my area and it's all because this rock I'm holding keeps the tigers away.
  51. Re:wtf? by enjo13 · · Score: 2, Informative

    More interesting, that guy is simply wrong. He lists the page as being:

    http://www.geocities.com/spkyupdate/upd1.jpg

    when in FACT the page is:

    http://www.geocities.com/updatesparky/sp1.7ls

    Of course, the detective work I had to do to locate this information consisted of READING THE COMMENTS from the actual page you linked to.

    --
    Turn s60 photos into awesome videos with mScrapbook for all S60 3rd edition phones!
  52. Re:wtf? by Doug+Neal · · Score: 3, Funny

    In the words of genius cartoonist Gary Larson,

    "Yes, yes, I know that, Sydney ... Everybody knows that! ... But look: Four wrongs squared, minus two wrongs to the fourth power, divided by this formula, do make a right."

  53. Well, finally... by Lane.exe · · Score: 2, Funny

    Someone thought of something useful to do with the MS Update code.

    --
    IAALS.
  54. Something wrong here? by Monofilament · · Score: 3, Insightful

    Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

    I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

    Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

    Educate me please.. I'm kinda confused here.

    --


    Who makes you Sig?
  55. Fizzer is not Curious Yellow, but it's close. by nounderscores · · Score: 3, Informative

    as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.

    And I worked out how to kill it in a post in the Curious Yellow Discusion.

    subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

    we've been warned folks. What are we going to do about it?

  56. how is this ok and code green wasn't? by dougnaka · · Score: 5, Insightful
    For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

    Looks like it's better to ask forgiveness than seek permission.

    --
    My Linux Command of the Day site : LCOD
    1. Re:how is this ok and code green wasn't? by dougnaka · · Score: 2, Informative

      FYI, Code green was more like code red in that it actively scanned for vulnerable servers... but there were other ones that listened for code red attacks then counter-attacked and patched... can't find any now... work and all...

      --
      My Linux Command of the Day site : LCOD
  57. Re: by TrebleJunkie · · Score: 4, Informative

    • All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

      Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.


    Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.

    Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.

    Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.

    So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.

    Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.

    Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.

    But, it's the whole road to hell/good intentions pavement thing. Eh.
    --

    Ed R.Zahurak

    You know, oblivion keeps looking better every day.

  58. But won't Micro$oft get upset when... by linuxwrangler · · Score: 4, Funny

    their update site converts all those machines to Linux?

    --

    ~~~~~~~
    "You are not remembered for doing what is expected of you." - Atul Chitnis
  59. worm should have used DRM kind of stuff. by Luzumsuz+Lazim · · Score: 3, Insightful

    Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...

  60. Re: by ukyoCE · · Score: 2, Insightful

    I think you're flat-out wrong. Motive (and results) are very important.

    If a burglar drops his gun, and you pick it up and shoot the burglar, that is a good (and usually legal) thing. If you pick up the gun and shoot the bank teller, you're gonna fry. That should be obvious.

    Using an exploit to remove the exploit is a pretty good idea. Of course it should be tested beforehand, and shouldn't do anything risky (like deleting infected files). In this case they said all it does is remove the registry keys that Fizzer adds. That isn't a very risky thing to do, and I'm sure they still tested it beforehand.

    What they did is perfectly legal and a very good idea for everyone involved. This isn't at all similar to the RIAA using an exploit to delete your files, or Microsoft using their own program to subvert security on your computer.

  61. Right idea, wrong URL. by AnotherBlackHat · · Score: 4, Funny

    They should have taken over this one ;)

    -- this is not a .sig

  62. Re:wtf? by theLOUDroom · · Score: 3, Insightful
    OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense? Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

    In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.

    In the situation at hand neither of these things is happening. The worm is looking for an .exe at foo.com, and it's getting an .exe at foo.com. The people aren't tricking the computers into coming there or executing anything. These computers we already scheduled to visit the site and execute whatever's there before they ever got involved.

    they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

    Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.

    If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?

    I wouldn't be suprised if this method was totally legal.
    1. If they were SSHing into the infected machines, you could consider that unauthorized access, but that's not happening. All they're doing is placing a file on a geocities page. The HTTP client/server thing is pretty clear, besides they don't even control the server. Even if you try and argue that the geocities server is accessing the client, the task force isn't in control of it.
    2. If they were IP spoofing or redirecting traffic, that would probably be illegal, but that's not happening.
    3. If they were taking advantage of a buffer overflow, or some other exploit to accomplish this, that would be illegal. Not so.
    4. If there was an intent to do harm, then knowingly putting the program there to do so would probably be illegal. Not happening either.


    How about this: Why don't you try and tell me what law you think they're actually breaking?

    Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.
    --
    Life is too short to proofread.