Slashdot Mirror
Fizzer Worm Uninstalling Itself
boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."
The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.
No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.
OddManIn: A Game of guns and game theory.
Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.
We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..
We'll keep you updated..
Regards,
--
John McGarrigle
IC5 Networks
They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.
Now the computer security community gets to have a big debate over whether this was ethical or not...
If you had super powers, would you use them for good, or for awesome?
Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.
I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?
Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.
The rest of us (the IRC Community) have to deal with the threats as they come down the pike.
The world according to SComps
...now control the update page...
At what point does the vigalante hacking become acceptable when fighting against Something Bad?
If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?
When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?
If you're going to write a worm, do it right.
Tarsnap: Online backups for the truly paranoid
Why isn't the geocities site saying it's 'bandwith exceeded' or something?
as a compassionate human being i find this outrageous
to use the innate homing behavior of a wild natural creature like this virus against it...
to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities
do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?
is there no compassion on the internet?
outrageous
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.
"What do you mean you have no ice? Do you expect me to drink this coffee hot?" - Random Customer, Clerks
The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.
Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.
Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!
True ravers don't need drugs
Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.
so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?
(see star trek for more on this topic....)
I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...
Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.
From http://www.livejournal.com/users/kalyan/84241.html
...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.
-Rob
It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.
-- Ed Avis ed@membled.com
Fizzer uninstaller:
format c:
I don't see any adverse effects.
Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?
Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.
Think of it this way:
1. The remote computer goes: "What do I do?"
2. The server goes: "Well, since you're asking, I think you should do this."
There's no stolen password, and there's no exploit needed.
Here's another example:
I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.
IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?
Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.
Life is too short to proofread.
Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?
Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.
Because, if you walk without a rhythm, you won't attract the worm.
That's not 2 wrongs. It's 1 wrong that avoids another.
2 Wrongs would be if the terrorist blew up the world, so then you kill him.
I guess 1 wrong can make a right!
Its nice to see some people just looking to do some good.
There is nothing inherently safe about liberty. That's why so many people died protecting it.
Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!
Of course, I'd love to see that author try to sue someone over it.
Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail.
If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.
They also didn't "hack" geocities like some have suggested...
I dunno, I just don't see anything wrong here.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.
If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.
--- http://foo.ca
1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.
2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.
IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.
I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
It would have been smarter for the worm to verify a signature on the code it downloads
Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.
The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.
Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.
Finally, you had better not be shown to have the private key when the bad guys come knocking.
The price of freedom is eternal litigation.
This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is.
I mean this in the context of the Geocities web page. Do they have permission to alter the contents of that page??
Solution is elegant, but lets be consistent and understand the implications.
First off, can we get some whitespace? Please?
Good intention does not turn an illegal act into something legal.
Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws for example. Go ahead, Control-F, type "intent".
Life is too short to proofread.
Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.
Outdoor digital photography, mostly in New Engl
After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:
Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.
As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.
Especially Freenet.
Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.
Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.
This was the idea behind the Curious Yellow concept. It was featured on Slashdot a while ago.
No sig
RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.
Is there a difference here?
Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.
However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.
That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.
In the words of genius cartoonist Gary Larson,
... Everybody knows that! ... But look: Four wrongs squared, minus two wrongs to the fourth power, divided by this formula, do make a right."
"Yes, yes, I know that, Sydney
Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?
I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?
Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?
Educate me please.. I'm kinda confused here.
Who makes you Sig?
FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.
/* oops I accidentally made a comment, sorry */
as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.
And I worked out how to kill it in a post in the Curious Yellow Discusion.
subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.
we've been warned folks. What are we going to do about it?
Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"
...Would you click it?
Looks like it's better to ask forgiveness than seek permission.
My Linux Command of the Day site : LCOD
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.
Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.
Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.
So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.
Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.
Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.
But, it's the whole road to hell/good intentions pavement thing. Eh.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
their update site converts all those machines to Linux?
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?
Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.
Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...
Hmmm... yes, it seems as though this is opening a can of worms...
Sorry, I couldn't resist it.
I lay awake last night wondering where the sun had gone, then it dawned on me.
Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.
Let's try another analogy then:
Let's say that you are just an average person going in to get a flu-shot at the doctor.
The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.
The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.
How do you feel?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
They should have taken over this one ;)
.sig
-- this is not a
In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.
In the situation at hand neither of these things is happening. The worm is looking for an
they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.
Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.
If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?
I wouldn't be suprised if this method was totally legal.
How about this: Why don't you try and tell me what law you think they're actually breaking?
Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.
Life is too short to proofread.
I am a law student, and that post is missing some important facts. The police would have to have a warrant to search your HD, no matter if Zonelabs let them or not. As for the other two scenarios, they can happen right now. It's a matter of contract law and whether or not the EULA allows it and will stand up in court.
Be realistic. They're not hijacking your computer. They're removing a virus.
Don't rely on this advice, though. I am just a student.