Fizzer Worm Uninstalling Itself

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

In other News...

[lukew]

The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.

Not neccessarily the end.

[Spad]

Looks like the Fizzer worm will soon come to an end.

We're crossing our fingers that the bots are looking for an executable
to update themselves..

Well if they're not then the page becomes semi-useless. Although I suppose it will still prevent 'legitimate' updates of the bots.

Not even the beginning of the end

[isn't my name]

According to a more recent post on dshield:

To: irc-security@lists.noc.ic5.net, IRC.Admins@ldsn.org
Reply to: irc-security@lists.noc.ic5.net


Update: The file has now been removed for "testing".

I.E. we don't think the code is being executed. :(

Also, apparently the "update routine" on Fizzer only runs once a day, though that's totally unconfirmed.

James ('Herbster')

(Server Admin, irc.ZiRC.org)

Let this be a listen to self updating worm writers

[SeanTobin]

If you are going to go to the trouble of writing a worm that will update itself automatically, for gods sake, cryptographicaly sign the updates!

We don't want a repeat of this fiasco...

Re:Let this be a listen to self updating worm writ

[KDan]

That's not funny, that's just plain true. And a clever worm writer can probably tap into SSL libs in IE or Moz to avoid having to include the whole crypto libs with the worm. So it seems pretty doable. So I'd say this was a lucky strike.

Daniel

Sign the updates, and use a P2P network.

[Alethes]

What if they were to sign the updates and make the source decentralized by turning every one of the infected boxes into a node on a P2P network from which the worm would get its updates? It seems gaining control of the source would become exponentially more difficult as the worm spread. Not only that, but it would wreak havoc on these P2P networks, as well, and that means even those that are technically savvy enough to not get infected will at the very least be annoyed by the clutter.

Full Text of Article

[insomnike]

Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.

We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..

We'll keep you updated..

Regards,

--
John McGarrigle
IC5 Networks

Re:Full Text of Article

[Realistic_Dragon]

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

I applaud the sentiment, but do the ends justify the means? I don't think Joe Slashdotter would be too happy with the idea of enforced antivirus affecting _his_ PC, for example if the government mandated it, because you can be sure that that precident would soon be followed by anti-piracy, anti-crypto, anti-free-speech, anti-everything-else in short order.

I suppose you could argue that 'we aren't inserting the data ourselves, we just made it available' - but that's little more than sophistry.

Re:Full Text of Article

[Urkki]

But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

Re:Full Text of Article

[Realistic_Dragon]

But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it?

Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessi

Re:Full Text of Article

[Urkki]

Yes, but the people who put the file there cannot really claim that they didn't know that the file would be downloaded without the knowlage of computer users onto their machine. They could have just deleted the file.

I guess that would make them liable to pay damages if their removal code did some damage, and doing something like that is sticking their necks out to be chopped off. Which makes them either unselfish and brave, or stupid.

Too bad there really isn't any "real-world" analogy for this case...

Pedantic ethic in a vaccuum...

[xinit]

I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

Re:Full Text of Article

[sjames]

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

Essentially, the same way the fire department has implied permission to save your house and pets should your house catch fire when you are unreachable.

That is, the worm presents a danger to other people's property (servers) and it's a good bet that anyone having it would sincerely like it to be gone. Anyone who WANTS the worm to remain, AND hasn't isolated it from the

Re:Full Text of Article

[sjames]

But they don't have implied permission, they have explicit permission from an elected government (at least here). In this case the people doing this are akin to a band of vigilantes, something that civilised socienties all over the world have rejected in the real world.

They are more like a volunteer fire department. In the absense of an appropriate civil authority, sometimes, citizens must get together to do the appropriate thing.

Vigilanteism is an act of ignoring an existant and appropriate civil au

wow

[j0nb0y]

nice hack.

Now the computer security community gets to have a big debate over whether this was ethical or not...

Re:wow

[Zathrus]

just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

Want to show a case proving this? Even vaguely?

In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

Re:wow

[Zak3056]

Want to show a case proving this? Even vaguely?


There was an instance about two months ago of a man whose apartment was on fire running into the burning building to save his dog. The fire department had the police arrest him.

The FD did not want to enter the building because it was too hot/dangerous, and wanted to let the hoses cool things down a bit at first (a perfectly sane decision, IMHO, since there was no human life at stake.) The pet owner didn't like that idea, so took matters into his own hands

Re:Helpfully

[spanky1]

You know, the source for that phrase is from a popular book.

Harry Potter?

Gateway to Thousands of Machines

[bjb]

Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

Re:Gateway to Thousands of Machines

[Ryan Amos]

My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.

Hacked into Geocities?

[Salamanders]

...now control the update page...

At what point does the vigalante hacking become acceptable when fighting against Something Bad?

If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

Re:Hacked into Geocities?

[Anonymous Coward]

We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.

Next time try doing a little research (like asking in the IRC channel) before posting.

Re:Hacked into Geocities?

[42forty-two42]

Next time try doing a little research (like asking in the IRC channel) before posting.

You're new here, aren't you?

Re:Hacked into Geocities?

[rillian]

If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

Re:Hacked into Geocities?

[aonaran]

Would you mind if some stranger came along and pulled the weeds out of your garden?

I would. I wanted those weeds there, dandelion makes a good salad.

*Sigh*

[cperciva]

When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

If you're going to write a worm, do it right.

Re:*Sigh*

[will_die]

You just go the simple route, include an EULA saying that doing this is against the DCMA.
Then sue.

Re:*Sigh*

[connorbd]

Though admittedly "Digital Copyright Millennium Act" is perfectly accurate...

(mod self -1, Silly) /Brian

Quota?

[42forty-two42]

Why isn't the geocities site saying it's 'bandwith exceeded' or something?

outrageous

[circletimessquare]

as a compassionate human being i find this outrageous

to use the innate homing behavior of a wild natural creature like this virus against it...

to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

is there no compassion on the internet?

outrageous

Nice..

[Komarosu]

Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

Re:Nice..

[Loosewire]

i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.

Fact Checking

[Brightest Light]

Nicely done, Slashdot!

Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

Ansivirus companies' advice

[42forty-two42]

From the F-Secure page:

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
[...]

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

Re:Ansivirus companies' advice

[httptech]

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)

Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.

My submission:

2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)

the worm has proved itself to be a new lifeform

[andy666]

so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?

(see star trek for more on this topic....)

Somound needs to be more creative...

[Anonymous Coward]

I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...

Don't worry...

[new death barbie]

...they'll get another chance on the duplicate posting...

Good thing Symantec....

[caffeinex36]

...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

-Rob

Great!

[varjag]

While they are at it, could they also made worm install some simple firewall and anti-viral software at user's marchines?

DMCA violation?

[dcavanaugh]

Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

Just walk without a rhythm...

[sopuli]

Because, if you walk without a rhythm, you won't attract the worm.

I just Googled uninstall.pky

[Madcapjack]

I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google

Props to the White Hats

[Sergeant Beavis]

Its nice to see some people just looking to do some good.

wtf is going on here?

[Ender Ryan]

Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

They also didn't "hack" geocities like some have suggested...

I dunno, I just don't see anything wrong here.

Re:wtf is going on here?

[httptech]

More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

It's called "Crossing the Line: Ethics for the Security Professional [lurhq.com]"

Reverse Engineered Fizzer?

[nurb432]

Isnt that a violation of the DMCA?

Sure i agree its a good solutoin, but if they all get sued for it.... no good deed goes unpunished..

Re:Reverse Engineered Fizzer?

[Wizard of OS]

Get sued by who? The guy who wrote Fizzer? :)

Great idea! Next let's...

[MongooseCN]

Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.

But won't Micro$oft get upset when...

[linuxwrangler]

their update site converts all those machines to Linux?

definitely a good thing.

[theflea]

After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

No more fizzer

[aztektum]

until the Pfizer worm comes around and then we're all in for a hard time

i got nothin' this morning

Something wrong here?

[Monofilament]

Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

Educate me please.. I'm kinda confused here.

Fizzer is not Curious Yellow, but it's close.

[nounderscores]

as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.

And I worked out how to kill it in a post in the Curious Yellow Discusion [slashdot.org].

subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

we've been warned folks. What are we going to do about it?

how is this ok and code green wasn't?

[dougnaka]

For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green [vnunet.com] People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

Looks like it's better to ask forgiveness than seek permission.

worm should have used DRM kind of stuff.

[Luzumsuz Lazim]

Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...

Right idea, wrong URL.

[AnotherBlackHat]

They should have taken over this one [microsoft.com] ;)

-- this is not a .sig

Re:Huh?

[Washizu]

No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

Seems similar to RIAA requests...

[dnoyeb]

This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is.

I mean this in the context of the Geocities web page. Do they have permission to alter the contents of that page??

Solution is elegant, but lets be consistent and understand the implications.

Re:Seems similar to RIAA requests...

[ceejayoz]

They most likely contacted Geocities and asked for access to the account so they could stop the worm.

Re:Seems similar to RIAA requests...

[MillionthMonkey]

Wow. Is this what it takes to get any sort of response from Geocities?

I set up a Geocities page in 1997. After they were bought by Yahoo, my password stopped working and I haven't been able to delete the page in years- which sucks because it's embarrassing to have a page with the digging man GIF in 2003. Geocities is unresponsive. I guess the solution is to release a worm that checks to see if the page is still there!

Does anybody have a copy of Fizzer? I have to edit one of its resource strings and post t

Re:Seems similar to RIAA requests...

[Washizu]

"This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is."

DRM itself isn't wrong, it's just a technology. Government mandated DRM is wrong because it eliminates the choice of using it or not. I don't see how that relates to this situation at all, since no laws say people have to have the Fizzer installed.

Re:Seems similar to RIAA requests...

[Moonshadow]

What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

Pure genius, really.

Mad props, Reddog. :)

-- Antiarc

Re:Huh?

[Solidblu]

They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.

Re:Huh?

[Anonymous Coward]

This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?

Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.

Re:Huh?

[Chump1422]

I am a law student, and that post is missing some important facts. The police would have to have a warrant to search your HD, no matter if Zonelabs let them or not. As for the other two scenarios, they can happen right now. It's a matter of contract law and whether or not the EULA allows it and will stand up in court.

Be realistic. They're not hijacking your computer. They're removing a virus.

Don't rely on this advice, though. I am just a student.

Re:Huh?

[Albanach]

Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

Re:Huh?

[Erasmus Darwin]

"So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable."

Except that they went out of their way to delibrately place this executable where they knew an automated process (which was almost certainly installed without user consent) would execute it from. While I agree with the notion of trying to clean up the Fizzer worm, it's possible they may be going about in a way that's less than lega

Re:Huh?

[Nogami_Saeko]

And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

Let's try another analogy then:

Let's say that you are just an average person going in to get a flu-shot at the doctor.

The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

How do you feel?

Re:Huh?

[Keebler71]

Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

Re:Huh?

[scalis]

Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!

Re:Huh?

[Ed Avis]

It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.

Re:Huh?

[Anonym0us Cow Herd]

It would have been smarter for the worm to verify a signature on the code it downloads

Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

Finally, you had better not be shown to have the private key when the bad guys come knocking.

Re:Huh?

[secolactico]

Especially Freenet.

Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

This was the idea behind the Curious Yellow [blanu.net] concept. It was featured on Slashdot a while ago.

Re:Huh?

[WPIDalamar]

Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!

Of course, I'd love to see that author try to sue someone over it.

Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail.

Re:Huh?

[nocomment]

FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.

Re:Huh?

[apdt]

Hmmm... yes, it seems as though this is opening a can of worms...


Sorry, I couldn't resist it.

Re:Huh?

[facelessnumber]

Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"

...Would you click it?

Re:wtf?

[SComps]

Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

Re:wtf?

[kiwimate]

Being that these people are running code on their machine that they have no clue they're actually running...

Exactly. As opposed to Windows Update, which (coincidentally) was vilified just yesterday on these hallowed pages, and will prompt you to allow the update unless you've explicitly turned it off.

Oh wait...

Re:wtf?

[Smallpond]

Fizzer uninstaller:

format c:

I don't see any adverse effects.

Re:wtf?

[JohnFluxx]

Of course 2 wrongs can make a right.

Imagine you were in the bizarre situation where you had to shoot a terrorist to stop him from blowing up the entire world, killing everyone.

It is wrong to kill - but in this situation surely it would be right to.

Re:wtf?

[WPIDalamar]

That's not 2 wrongs. It's 1 wrong that avoids another.

2 Wrongs would be if the terrorist blew up the world, so then you kill him.

I guess 1 wrong can make a right!

Re:wtf?

[ceejayoz]

That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.

Re:wtf?

[Fulcrum of Evil]

It is wrong to kill

Obviously not. If someone is trying to kill me, I am well within my rights to kill him first. It is only murder that is wrong.

But 3 Lefts Do!

[Greyfox]

The two evils in question:

1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

Re:wtf?

[Doug Neal]

In the words of genius cartoonist Gary Larson,

"Yes, yes, I know that, Sydney ... Everybody knows that! ... But look: Four wrongs squared, minus two wrongs to the fourth power, divided by this formula, do make a right."

Re:wtf?

[BigBir3d]

I was referring to unrequested code being run on computers on my network. Fizzer_bad and Fizzer_good should not be there. And there is no verification that Fizzer_good is actually that. Sounds like the perfect way to launch spyware with everyone saying "thank you, may I have another."

No, this is different

[Sycraft-fu]

The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.

Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.

Re:wtf?

[Kingsly]

Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.

From http://www.livejournal.com/users/kalyan/84241.html [livejournal.com]

Pretty Interesting because this site does not exist and the username was never created with Yahoo!.

Re:wtf?

[Xformer]

Not exactly [livejournal.com].

Re:wtf?

[enjo13]

More interesting, that guy is simply wrong. He lists the page as being:

http://www.geocities.com/spkyupdate/upd1.jpg

when in FACT the page is:

http://www.geocities.com/updatesparky/sp1.7ls

Of course, the detective work I had to do to locate this information consisted of READING THE COMMENTS from the actual page you linked to.

Re:wtf?

[calethix]

" Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?"

I don't know why this is modded as flamebait. I think it's a perfectly valid question. Especially with all the people on slashdot that complain about Windows Update breaking more things than it fixes.

I agree that this now self worm is a good thing and I don't really know what exactly it does but what if there's some infected computer that the fix has an adverse effect on? Are

Re:wtf?

[theLOUDroom]

Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.

Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

Think of it this way:

1. The remote computer goes: "What do I do?"
2. The server goes: "Well, since you're asking, I think you should do this."

There's no stolen password, and there's no exploit needed.

Here's another example:

I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.

IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?

Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.

Re:wtf?

[Proaxiom]

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

Is there a difference here?

Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

Re:

[TrebleJunkie]

• 
  All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
  
  Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
  

Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.

Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.

Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.

So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.

Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.

Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.

But, it's the whole road to hell/good intentions pavement thing. Eh.

Re:

[ukyoCE]

I think you're flat-out wrong. Motive (and results) are very important.

If a burglar drops his gun, and you pick it up and shoot the burglar, that is a good (and usually legal) thing. If you pick up the gun and shoot the bank teller, you're gonna fry. That should be obvious.

Using an exploit to remove the exploit is a pretty good idea. Of course it should be tested beforehand, and shouldn't do anything risky (like deleting infected files). In this case they said all it does is remove the registry keys

Re:wtf?

[theLOUDroom]

First off, can we get some whitespace? Please?

Good intention does not turn an illegal act into something legal.

Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws [cobleskill.edu] for example. Go ahead, Control-F, type "intent".

Re:wtf?

[theLOUDroom]

OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense? Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.

In the situation at hand neither of these things is happening. The worm is looking for an .exe at foo.com, and it's getting an .exe at foo.com. The people aren't tricking the computers into coming there or executing anything. These computers we already scheduled to visit the site and execute whatever's there before they ever got involved.

they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.

If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?

I wouldn't be suprised if this method was totally legal.

1. If they were SSHing into the infected machines, you could consider that unauthorized access, but that's not happening. All they're doing is placing a file on a geocities page. The HTTP client/server thing is pretty clear, besides they don't even control the server. Even if you try and argue that the geocities server is accessing the client, the task force isn't in control of it.
2. If they were IP spoofing or redirecting traffic, that would probably be illegal, but that's not happening.
3. If they were taking advantage of a buffer overflow, or some other exploit to accomplish this, that would be illegal. Not so.
4. If there was an intent to do harm, then knowingly putting the program there to do so would probably be illegal. Not happening either.

How about this: Why don't you try and tell me what law you think they're actually breaking?

Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.

Re:Could be done better...

[mdfst13]

If I had this worm, I would find the uninstall-executable less intrusive than starting up IE and sending me to a web site. The uninstall only affects the worm's operation. What you are recommending is further cracking my box (admittedly, the box is already cracked, but why go farther). As you are then taking active effort to crack my box, I would regard that as illegal.

An analogy. I regard this as the equivalent of walking by a a car with its windows down in the rain and rolling them up. It's just goo