Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fizzer Worm Uninstalling Itself

Posted by CowboyNeal on from the sigh-of-relief dept.

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

24 of 434 comments (clear)

  1. In other News... by lukew · · Score: 5, Funny

    The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.

  2. Re:Huh? by Washizu · · Score: 5, Insightful

    No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

    --
    OddManIn: A Game of guns and game theory.
  3. Full Text of Article by insomnike · · Score: 5, Informative

    Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
    now control the update page, and have posted a mirror of the
    http://www.debugoutput.com/fizzer.php site on the geocities website that
    fizzer uses to update itself.

    We have also postted a fizzer cleaner to the actual URL that the bot
    downloads its updates from, as a self extracting and running executable.
    We're crossing our fingers that the bots are looking for an executable
    to update themselves..

    We'll keep you updated..

    Regards,

    --
    John McGarrigle
    IC5 Networks

    1. Re:Full Text of Article by Urkki · · Score: 5, Insightful

      But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

  4. wow by j0nb0y · · Score: 5, Insightful
    nice hack.


    Now the computer security community gets to have a big debate over whether this was ethical or not...

    --
    If you had super powers, would you use them for good, or for awesome?
    1. Re:wow by Zathrus · · Score: 5, Insightful

      just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

      Want to show a case proving this? Even vaguely?

      In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

      I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

      In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

  5. Re:Huh? by Albanach · · Score: 5, Informative

    Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

  6. Gateway to Thousands of Machines by bjb · · Score: 5, Insightful
    Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

    I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

    --
    Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
  7. Re:wtf? by SComps · · Score: 5, Insightful

    Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

    Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

    The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

    --
    The world according to SComps
  8. Hacked into Geocities? by Salamanders · · Score: 5, Interesting

    ...now control the update page...

    At what point does the vigalante hacking become acceptable when fighting against Something Bad?

    If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

  9. *Sigh* by cperciva · · Score: 5, Funny

    When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

    If you're going to write a worm, do it right.

    --
    Tarsnap: Online backups for the truly paranoid
    1. Re:*Sigh* by will_die · · Score: 5, Funny

      You just go the simple route, include an EULA saying that doing this is against the DCMA.
      Then sue.

  10. outrageous by circletimessquare · · Score: 5, Funny

    as a compassionate human being i find this outrageous

    to use the innate homing behavior of a wild natural creature like this virus against it...

    to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

    do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

    is there no compassion on the internet?

    outrageous

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  11. Re:Huh? by scalis · · Score: 5, Funny

    Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!

    --

    True ravers don't need drugs
  12. Fact Checking by Brightest+Light · · Score: 5, Informative
    Nicely done, Slashdot!

    Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

  13. Somound needs to be more creative... by Anonymous Coward · · Score: 5, Funny

    I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...

  14. Good thing Symantec.... by caffeinex36 · · Score: 5, Funny

    ...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

    -Rob

  15. Re:Huh? by WPIDalamar · · Score: 5, Funny


    Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!

    Of course, I'd love to see that author try to sue someone over it.

    Cracker: He stole my virus.
    Judge: I award you $1000 in damages, and 20 years in jail.

  16. wtf is going on here? by Ender+Ryan · · Score: 5, Insightful
    Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

    If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

    They also didn't "hack" geocities like some have suggested...

    I dunno, I just don't see anything wrong here.

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
  17. Pedantic ethic in a vaccuum... by xinit · · Score: 5, Insightful
    I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

    Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

    If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

    --
    --- http://foo.ca
  18. Re:Huh? by Anonym0us+Cow+Herd · · Score: 5, Interesting

    It would have been smarter for the worm to verify a signature on the code it downloads

    Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

    The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

    Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

    Finally, you had better not be shown to have the private key when the bad guys come knocking.

    --
    The price of freedom is eternal litigation.
  19. definitely a good thing. by theflea · · Score: 5, Insightful

    After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

    Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

    As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

  20. Re:Huh? by facelessnumber · · Score: 5, Funny

    Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"

    ...Would you click it?

  21. how is this ok and code green wasn't? by dougnaka · · Score: 5, Insightful
    For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

    Looks like it's better to ask forgiveness than seek permission.

    --
    My Linux Command of the Day site : LCOD