Slashdot Mirror
Fizzer Worm Uninstalling Itself
boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."
The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.
No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.
OddManIn: A Game of guns and game theory.
Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.
We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..
We'll keep you updated..
Regards,
--
John McGarrigle
IC5 Networks
They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.
Now the computer security community gets to have a big debate over whether this was ethical or not...
If you had super powers, would you use them for good, or for awesome?
Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.
I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?
Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.
The rest of us (the IRC Community) have to deal with the threats as they come down the pike.
The world according to SComps
...now control the update page...
At what point does the vigalante hacking become acceptable when fighting against Something Bad?
If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?
When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?
If you're going to write a worm, do it right.
Tarsnap: Online backups for the truly paranoid
Why isn't the geocities site saying it's 'bandwith exceeded' or something?
as a compassionate human being i find this outrageous
to use the innate homing behavior of a wild natural creature like this virus against it...
to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities
do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?
is there no compassion on the internet?
outrageous
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.
Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.
Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!
True ravers don't need drugs
Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.
i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.
Slashdot - The one stop shop for procrastination
so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?
(see star trek for more on this topic....)
I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...
Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.
From http://www.livejournal.com/users/kalyan/84241.html
...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.
-Rob
It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.
-- Ed Avis ed@membled.com
Fizzer uninstaller:
format c:
I don't see any adverse effects.
Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?
Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.
Think of it this way:
1. The remote computer goes: "What do I do?"
2. The server goes: "Well, since you're asking, I think you should do this."
There's no stolen password, and there's no exploit needed.
Here's another example:
I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.
IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?
Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.
Life is too short to proofread.
Because, if you walk without a rhythm, you won't attract the worm.
Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!
Of course, I'd love to see that author try to sue someone over it.
Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail.
If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.
They also didn't "hack" geocities like some have suggested...
I dunno, I just don't see anything wrong here.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.
If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.
--- http://foo.ca
It would have been smarter for the worm to verify a signature on the code it downloads
Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.
The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.
Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.
Finally, you had better not be shown to have the private key when the bad guys come knocking.
The price of freedom is eternal litigation.
After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:
Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.
As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.
Especially Freenet.
Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.
Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.
This was the idea behind the Curious Yellow concept. It was featured on Slashdot a while ago.
No sig
FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.
/* oops I accidentally made a comment, sorry */
Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"
...Would you click it?
Looks like it's better to ask forgiveness than seek permission.
My Linux Command of the Day site : LCOD
All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.
Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.
Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.
So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.
Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.
Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.
But, it's the whole road to hell/good intentions pavement thing. Eh.
Ed R.Zahurak
You know, oblivion keeps looking better every day.
their update site converts all those machines to Linux?
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?
Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.
Hmmm... yes, it seems as though this is opening a can of worms...
Sorry, I couldn't resist it.
I lay awake last night wondering where the sun had gone, then it dawned on me.
And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.
Let's try another analogy then:
Let's say that you are just an average person going in to get a flu-shot at the doctor.
The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.
The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.
How do you feel?
"Nothing strengthens authority so much as silence." - Charles de Gaulle
They should have taken over this one ;)
.sig
-- this is not a