New Worm Covers All The Bases

By Larry Seltzer  |  Posted 2003-05-14 Print this article Print

Why do people launch strange attachments? Why don't they install important updates? Go Fizzer.

Im still wondering whats so special about the Fizzer worm that set the Net on fire this past week. Reports from antivirus vendors had the new worm spreading far and wide. Its Wednesday night and the storm appears to be passing. A second payload could somehow lie undetected and ticking, but enough smart programmers with enough debuggers have had their crack at it that Im satisfied its well-understood.

The most important thing I understand about it is that there is little new and innovative about the method of infection. You get an executable file, you run it, youre infected. The obvious lesson: Dont do that.

Once youre infected, Fizzer really is interesting. Its a grab bag of hacker tools in one compact package. It has backdoors for attackers to command it through IRC, AIM, and even a mini http server. Its got a keylogger in it and a facility, ironically just like the antivirus software it attempts to disable, to update itself from a particular web site (the updates are not and wont be available). I think the most innovative part of it is that it copies itself to the KaZaA share folder in order to distribute itself across that network. Apart from this little twist, the only way to get the executable is through the kind of mass-emailing that has been well-understood for years. And even with the KaZaA thing youd still have to run the program.

And not only is it well understood, its been fixed in the most common email programs for years. Im pretty sure Clinton was President (or was it Eisenhower?) when Microsoft issued the fixes to prevent Outlook and Outlook Express from accepting executable attachments by default, and to prevent unauthorized programs from accessing the address book. Still programs like this continue to propagate in the wild, and I suspect that the people who have them actually have all of them and pass them around to each other.

So just how widespread is Fizzer? F-Secure has had a "LEVEL 1 ALERT" on it since Friday and Monday they issued a press release about the seriousness of the situation. Symantec also rates it in epidemic proportions.

Network Associates, on the other hand, says that the Fizz has started to go flat, although that brings the threat down from Defcon 5 to maybe a 3. The Fizzer report from Sophos says that they have "received several reports of this worm from the wild." Sophos is typically cautious and understated in their reports from the wild. This statement makes it clear that Fizzer is out there, but it doesnt actually say that its a problem for their corporate-oriented customer base.

Finally, I checked my own antivirus logs and asked some friends of mine, and I see none of it. Admittedly none of us are KaZaA types, but I get half a dozen Klez.h messages a day. Im skeptical.

I ask again: Whats so different about this virus that it would spread as wildly as is claimed under conditions that should impede its distribution? Ive thought it over and the only thing I can come up with is that credulous KaZaA users actually run the executables that show up in their share folders. Nothing else makes sense to me; none of the other innovations in the worm are meant to further its spread, but to make it available for remote management and exploit in a DDOS attack.

And the KaZaA users must either not be running antivirus software, or they have run the infected executable before Fizzer-aware definitions showed up on their systems. Incidentally, I have noticed Norton LiveUpdate running 3 times in the last 2 or 3 days, so Symantec is hard at work on something.

Maybe well never be rid of threats like this. Users have all the tools they need to protect themselves but that hasnt stopped the attackers. It looks like the worm writers are getting smarter, and lots of users seem to be taking their dumb pills every morning.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel