Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Internet

IRC Networks Unite in Fight Against Fizzer Worm 337

Dave writes "Over the past few days, IRC Networks across the internet have felt the brunt of the Fizzer worm. In an unusual display of geek solidarity, representatives from dozens of IRC Networks, including EFNet, IRCNet and DALnet, have gathered to create a Fizzer Task Force. Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds."
This discussion has been archived. No new comments can be posted.

IRC Networks Unite in Fight Against Fizzer Worm

Comments Filter:
  • IRC Networks across the internet have felt the brunt of the Fizzer worm.

    Now, miniscule web servers, you will feel the brunt of the Slashdot behemoth!

    Interesting, and mostly productive results have occurred so far from such a meeting of the IRC minds.

    And, once this story is published, we'll observe the various effects of futile desperation!
    • I predict the "slashdot effect" won't be working today. All the troll bots will be bussy running fizzer and unable to lauch their usual malicious strikes. Most other sites are capable of riding out normal traffic generated by Slashdot. The fizzer task force is working well right now. Go away, all your bots is broke and Billy G. is going to be angry with you.

      And, once this story is published, we'll observe the various effects of futile desperation!

      If you want your bots back, tell him to push somethin

  • by AlabamaMike ( 657318 ) * on Wednesday May 14, 2003 @09:41AM (#5954582) Journal
    Not to point fingers, but as we all know IRC networks are a major conduit for the distribution of warez. I'm not living in a glass house here, so I'll admit that I've gotten viruses from "packs" downloaded through IRC networks. It's good to see that these guys are coming together and helping to stem the spread of this virus. Unfortunately, I've heard nothing from the KaZaA guys in this line, and they are probably much worse than the IRC people (all their clients are Windows platforms, most of their users are completely clueless, etc.) It takes some skills (not much, but some) to get stuff off IRC. Any jackass can download from KaZaA. That's where the real work needs to be done in order to stop this virus cold.
    -A.M.
    • if that's the case then those jackasses should be able to download from a trustworthy source. /join #fizzer for free mp3's!
    • I just idle in some rooms where i know the people. only file sharing i've done is to send a pic or two

      As for KaZaA, i'm just not using it at all. I haven't heard how well Norton or McAfee protects against Fizzer over different media yet, so i'm just gonna lay low for a while. I suspect that many others will too.

      This brings up another interesting idea. RIAA/MPAA designing virii to attack P2P networked computers (maybe with keywords like 'Usher' in their music files?). HIGHLY illegal, but what do they

    • Maybe that's why quakenet wasn't in the list because of the non existant warez distribution (bots/channels). It's by far the largest [netsplit.de] network. So I think it's pretty odd the worm doesnt target quakenet.
      • QuakeNet probably won't get targeted as they have a highly active anti-worm/trojan squad equipped with a trojan scanner (my work) and other services which hunt the network for flood clones/trojans/illegal botnets automatically.
    • by DNS-and-BIND ( 461968 ) on Wednesday May 14, 2003 @10:25AM (#5954989) Homepage
      We really need to shut down USENET as well, as it's a major conduit for the distribution of warez. FTP is also a big problem. The world wide web is a major, major conduit for the distribution of warez. And don't even talk to me about filesharing networks...all major conduits for the distribution of warez.
      • by Anonymous Coward
        I haven't seen the statistics, but I believe CAT5 ethernet cable is one of the worst piracy tools every made by man. NO copyright protection technology, NO logging or audit trail, and all those wires (both of them) makes it hard for law enforcement to tap.

        I suggest an immediate ban, and the sending of threatining letters to all CAT5 owners.
  • Yeah! (Score:3, Funny)

    by Farley Mullet ( 604326 ) on Wednesday May 14, 2003 @09:42AM (#5954596)

    Let's help these guys out by /.'ing their co-ordinating page!

  • *Ahem* (Score:5, Funny)

    by guacamolefoo ( 577448 ) on Wednesday May 14, 2003 @09:44AM (#5954610) Homepage Journal
    From Symantec:

    Systems Not Affected: Macintosh, OS/2, UNIX, Linux

    Heh. Clearly the work of an evil genius.

    GF.
    • Re:*Ahem* (Score:3, Funny)

      by Anonymous Coward
      Systems Not Affected: Macintosh, OS/2, UNIX, Linux

      I guess that means BeOS is at risk? Oh no!
    • Re:*Ahem* (Score:4, Informative)

      by fred666 ( 597170 ) on Wednesday May 14, 2003 @11:35AM (#5955659) Homepage
      *NIX/Linux systems can be at risk if you're using a misconfigured wine.

      Seriously, wine is getting better every month and can run a wider lot of window$ software, it is not surprising that it will (could?) run windows worms/viruses (which are software written by human after all) and put our supposed-virus-free-OS [insert your preferred flavour of unix here] at the same level of risk than windoze users.

      Please think about it if you install such a software...
  • possible perps (Score:4, Interesting)

    by zogger ( 617870 ) on Wednesday May 14, 2003 @09:44AM (#5954612) Homepage Journal
    --anyone else get the impression this is a pro active anti "piracy" move by the music and movie monopolists? That's what I thought of when I first read about this a couple of days ago. Looks like an attempt to shutdown channels of P2P-ish nets.

    Anyway, that's how I think with crimes, use flatfoot 101, "who profits?".
    • Re:possible perps (Score:2, Interesting)

      by Spottie ( 9455 )
      We don't HAVE any p2p chans - the thing just runs down a network list and isn't targeting anyone in particular.
    • Re:possible perps (Score:3, Insightful)

      by fafaforza ( 248976 )
      Who knows. One thing is for sure though: by publicising their intentions of sabotaging files on Kazaa and distributing viruses, they opened themselves up to such speculation.
    • Anyway, that's how I think with crimes, use flatfoot 101, "who profits?"

      Perhaps this worm is a result of profiteering. However, many computer crimes do not follow this standard profile. "Traditional" (define that how you like) hacks n' cracks are most often done for motives other than profit (direct or indirect). I see no evidence to suggest this is changing.

  • All of this is contributing, unfortunately, to the Death of IRC [topica.com]

    From the official Undernet note in the link:

    "At this point, the future of the Undernet and IRC remains uncertain."
  • can somebody recommend a good free antivirus for Win machines?

    if there is such thing...

    Mainstream media seems to report that the virus comes out of Outlook attachments ONLY, which shows how ignorance can be dangerous if this worm is effectively spread through filesharing networks... :-/
    • by ejaw5 ( 570071 ) on Wednesday May 14, 2003 @09:54AM (#5954714)
      AVG AntiVirus Free Edition is available here: http://www.grisoft.com [grisoft.com] When I used to use windows, AVG was IMO the best antivirus out there in terms of speed and detection, compared to mcAfee and norton.
    • by nolife ( 233813 )
      I've been using AntiVir [free-av.com] for a few months on W2K and 98SE machines. Seems to work pretty good.

      AVG [grisoft.com] appears to be another free one but I have not tried it.

      I was using an older version of NAV Corporate but it seemed too bloated for some of my slower machines. I've also used the scaled down version of Trendmicro that normally comes packaged with new motherboards, it is limited to 3 months of updates unless you pay for a subscription but the price is reasonable if you want to keep using it.
    • by Dioji ( 632761 )
      F-Prot is what I use, and the DOS version is free: www.f-secure.com
    • can somebody recommend a good free antivirus for Win machines?

      I've had pretty good luck with fdisk. It's not exactly free, but it does come with your OS. But what it lacks in features it more than makes up for in savings.

      --
      mcpwhoowhookaaos
    • by twitter ( 104583 ) on Wednesday May 14, 2003 @11:59AM (#5955914) Homepage Journal
      Debian [debian.org], it's like your first visit to the free clinic. Your privates are sore, you are angry with close frinds and you don't like what people at the clinic are telling you. You can leave and things will get worse or you can listen to good advice and not have to go back.
  • PEBCAK (Score:5, Insightful)

    by Kjella ( 173770 ) on Wednesday May 14, 2003 @09:48AM (#5954650) Homepage
    Problem Exists Between Chair And Keyboard. To the very best of my knowledge I haven't been infected by any virus or trojan since the early 90s when I didn't have Internet access and fast virus updates.

    But even running around nekkid, I don't think I'd have caught more than a handful of viruses to begin with. Why the hell is it that people open up all the crap executable stuff they get? I think the best hope is a new generation that has grown up with SPAM, viruses etc. and don't fall for that kind of bullshit. Teaching old dogs new tricks doesn't work, but they will die eventually...

    Kjella
    • user = id10t (Score:2, Interesting)

      Actually, I've been a savy computer user for some time now, IMHO. However, I had a laptop computer totally scrwed up by the 'ravage' boot sector virus. It's a virus that replicates itself on the boot sector of floppy disks, inserting itself right in front of that code that displays the message

      Non-system disk or disk error
      Replace disk and press any key when ready.

      I was caught totally off guard on that one, but I don't think that it indicates a user = id10t problem on my part.

    • Here here!

      Once, in the early ninties, I got the FORM virus from an infected floppy. It was mostly harmless, so I kept it on my machine, kind of like a pet. (Ahh, back when viruses were silly and harmless... Ogre aside). It never caused me any trouble.

      Beyond my "pet," I've never have a Trojan, virus, worm, or exploit bother me. I don't blindly run executables, I don't boot from strange floppies...

      It's hard to get a virus unless you're an idiot. That's just my opinion, but I hold to it. Te only peop
    • Re:PEBCAK (Score:3, Funny)

      by gpinzone ( 531794 )
      I used to just tell people the problem was caussed by a "nut loose behind the keyboard."
    • Re:PEBCAK (Score:5, Insightful)

      by Ed Avis ( 5917 ) <ed@membled.com> on Wednesday May 14, 2003 @10:24AM (#5954978) Homepage
      The best hope is a user interface that clearly distinguishes between *running a program* and *opening a document*. Windows over the years has deliberately blurred this - even in Win3.x Program Manager the command to run an application was called 'Open'. Cute, but it doesn't help people learn the difference between documents, which are just data that can be viewed, and programs, which are instructions for your machine to perform.

      You may object that things like Word macros (and their associated viruses) blur the line between files and executables. But that is another instance of the same problem: 'opening' such a document should be split into the two questions it implies: do you want to *view* the file contents? do you want to *execute* the instructions in the file?

      If user interfaces and especially mail clients bothered to present this distinction to the user then a lot of the worm problems would go away. Some people would still have virus checkers, mostly companies who don't trust their employees not to execute dancing_elephants.exe. But even in those cases, it would be simple to lock down mail clients to not allow execution, as long as they bother to make a clear distinction between viewing and executing to start with. (And as long as the applications they launch, such as Word, do the same.)

      One way of explaining this in non-technical language is: 'If I sent you a letter and it said "please jump off the nearest cliff" and you read it, would it do any harm to you? Why should the equivalent message sent to a computer be any different?'
      • The best hope is a user interface that clearly distinguishes between *running a program* and *opening a document*. Windows over the years has deliberately blurred this

        Don't forget to include an email client that does not run as root and does not execute stuff without asking the user! M$ thinks it so much more important to have email that "works" by blaring noises and flashing picutes at you. Even if these glaring problems could be fixed on Windoze, the lack of distinction you noticed still demands a co

    • Re:PEBCAK (Score:2, Insightful)

      by tomgilder ( 255203 )
      I'm sorry, but trojans like this aren't the user's fault. They're the fault of their computer, allowing an executable from email (or other untrusted source) to run with no restrictions.

      Users should *not* have to be scared of using their computer. The computer should simply stop them from doing anything wrong.

      Users won't learn, so teach the computers instead.
      • Re:PEBCAK (Score:5, Insightful)

        by Ummagumma ( 137757 ) on Wednesday May 14, 2003 @10:45AM (#5955194) Journal
        Replace the word 'computer' with the word 'automobile' in the following sentance:

        "Users should *not* have to be scared of using their computer. The computer should simply stop them from doing anything wrong."

        Now how do you feel about that?

        I'm not agreeing or disagreeing with you here - just food for though.
  • by mao che minh ( 611166 ) * on Wednesday May 14, 2003 @09:48AM (#5954653) Journal
    No, there are no physically adept and good looking individuals complemeted with the obligatory "tough guy". No Tommy Lee Jones-like leader, bravely charging into danger. No electronics laden vans and phone taps. Just a bunch of pasty guys that are experts on Star Trek lore and like to debate the power of Perl.

    "task force"

    Heh

    • by CharlieO ( 572028 ) on Wednesday May 14, 2003 @10:12AM (#5954880)
      Yeah but those pasty guys that are experts on Star Trek lore and know wierd backwaters of Perl can also remove your systems/isp/country from the net without breaking into a sweat.

      And trust me you can cause more pain to more people by dumping thier net connection than you ever could with a swat team.

      First there's the pain for lusers that find thier mail IM and file swappers don't work, then there's the pain in the call centre when harrased techs try to explain to consumers what's going on, then there's the pain felt by the BOFH's with management hovering over thier shoulder, then there is further pain caused by the many minor bumps and niggles and repeats as the systems cope (or not) with the backlog built up in the down time. And after all that, if it was a good one, there are the recriminations on support boards, the calls for compensation, customers leaving, no end of replanning from the management team.

      Ahhhh

      The beauty is that a good DDOS is a gift that just keeps on giving.

      Truly Cthulhu is amongst us :)
  • Lock em down (Score:3, Interesting)

    by Mattygfunk1 ( 596840 ) on Wednesday May 14, 2003 @09:49AM (#5954661)
    The worm attempts to terminate the process of various antivirus programs if they are found to be active.

    Are there any programs that allow processes to be "locked on"? It would be useful to restrict attempts to kill certain processes, to people that can provide the root password.

    There are probably heaps of this kind of thing, and another layer of security is always welcome.

    cheap web site hosting [cheap-web-...ing.com.au] from 3 semi-mongrels a month

  • by burgburgburg ( 574866 ) <splisken06&email,com> on Wednesday May 14, 2003 @09:52AM (#5954685)
    How exactly can we blame Microsoft for this? While we know that Fizzer only operates on the Windows platform and uses the Windows address book to mail itself, it also tries to use Kazaa to spread itself further.

    So, what did Microsoft do wrong that allowed this to happen? 200 words or less. 5 points off each for use of either "dancing monkeyboy" or "Borg".

  • by emptybody ( 12341 ) on Wednesday May 14, 2003 @10:17AM (#5954927) Homepage Journal
    from symentac 'Keylogs all keystrokes to an encrypted file %windir%\iservc.klg.'

    It stores encrypted data on your PC. You cannot use any method to decrypt this data to determine what keystrokes were collected and potentially transmitted.

    Gotta love stupid laws.

    • I want to watch somebody try to use the DMCA against people who decrypt that file. It's almost standing up and admitting that they wrote the virus.

      Hmm.. if the DMCA lawsuit fines in favor of the writer, would any evidence gained from decrypting the file be made inadmissable for the prosecution of the writer?
    • by Alsee ( 515537 ) on Wednesday May 14, 2003 @11:41AM (#5955728) Homepage
      As much as I enjoy your post, I don't think it's accurate. You would be the copyright holder of the keystrokes it is writeing. Therefore you can decrypt the file with the authority of the copyright holder.

      I hope noone takes this as a defense of the DMCA, it is an evil law. The DMCA makes it a crime to sit motionless and think certain thoughts. I really wish it would get struck down as unconstitutional already.

      -
    • It stores encrypted data on your PC. You cannot use any method to decrypt this data to determine what keystrokes were collected and potentially transmitted.

      Gotta love stupid laws.

      Don't worry, the DMCA only applies to circumvention of encryption used to protect huge, rich, multinational coporations and other people trying to make a buck. I doubt anyone would care if you cirumvented encryption to recover your or other people's keystrokes. Britiany Spears's recorded music is protected. Her email, medical

  • I... (Score:3, Interesting)

    by Telent ( 567982 ) <telent AT mordac DOT info> on Wednesday May 14, 2003 @11:49AM (#5955790)
    ... am a technical administrator on a fairly small (100-200 users), Klingon-themed network that plays host to a fairly large Star Trek simming organization.

    This worm was hitting us badly. I personally spent at least six or seven hours slamming the fuck out of the clients (they connect with a very distinctive hostmask/realname/nick) since they started hitting us on Sunday, and we have ~1500 akills for distinctive IP's set up now.

    As you may imagine, manual akills just wasn't cutting it after a while. We all have actual jobs, and sitting on IRC whamming worms is something we don't get paid for. We've fixed our problem with a small Perl script one of our server admins wrote. I don't have the link where he placed it online right now, but I'm sure he'd be okay with sharing if anyone's interested. At the very least, it'll give you some heuristics to work from (the fundamental pattern is a nick with one, two, or three numbers on the end, a real name consisting of two capitalized words, and an identd response made of those two words reversed and conglomerated).

    If there's any other admins of networks out there, pop onto irc.kdfs.net and join #helpdesk. Mention that you're looking for Puffy (me) or Danzak (script writer) and you're interested in our virus client killing bot.

    No false positives so far. :)

  • mIRC != IRC (Score:3, Informative)

    by nurb432 ( 527695 ) on Wednesday May 14, 2003 @11:59AM (#5955912) Homepage Journal
    Just a pet peeve when people refer to it that way.., one is a client of many, the other is a network ( also many )...

    And just sounds like people need to use some common sence, and update signatures.. None of these things should be a huge deal..

  • Symantec tool (Score:3, Informative)

    by BigBir3d ( 454486 ) on Wednesday May 14, 2003 @12:04PM (#5955964) Journal
    main page [symantec.com]

    Removal tool [symantec.com]

    Cleaned up my office yesterday very nicely.
  • Info (Score:4, Informative)

    by Anonymous Coward on Wednesday May 14, 2003 @12:12PM (#5956045)
    For those unaware of what the Fizzer worm does and stuff. You can find most stuff here [trendmicro.com].
  • Impact . . (Score:3, Interesting)

    by geniusj ( 140174 ) on Wednesday May 14, 2003 @12:48PM (#5956349) Homepage
    I run a large dynamic dns provider [ods.org] and have had many many abuse reports lately of people using worms like this. Generally, they will register a host with ODS that is round-robin and points to multiple IRC servers which they point their drones at. The effect with these trojans are huge and I'm surprised they're not covered more. Ones like this one have been around for a while, and are generally used (after infection) for DDoS attacks. Many of these botnets (that I have seen anyway) exceed 10,000 infected clients (in one IRC channel). They place an enormous burden on the IRC Networks (that have to accept all of these clients, a lot of the time, all at once when the command is issued to change servers) and also are fairly visible from our DNS servers (some causing about 10 queries/sec alone to the DNS servers).

    The point is that I've seen these botnets around for months and months now. Almost a year at this point with almost no coverage. I believe the days of smurf attacks are numbered, this is the new way to conduct DoS attacks. They're very effective as well, having seen the attacks targeting servers of mine.

Only great masters of style can succeed in being obtuse. -- Oscar Wilde Most UNIX programmers are great masters of style. -- The Unnamed Usenetter

Working...