Im still wondering whats so special about the Fizzer worm that set the Net on fire this past week. Reports from antivirus vendors had the new worm spreading far and wide. Its Wednesday night and the storm appears to be passing. A second payload could somehow lie undetected and ticking, but enough smart programmers with enough debuggers have had their crack at it that Im satisfied its well-understood.
The most important thing I understand about it is that there is little new and innovative about the method of infection. You get an executable file, you run it, youre infected. The obvious lesson: Dont do that.
Once youre infected, Fizzer really is interesting. Its a grab bag of hacker tools in one compact package. It has backdoors for attackers to command it through IRC, AIM, and even a mini http server. Its got a keylogger in it and a facility, ironically just like the antivirus software it attempts to disable, to update itself from a particular web site (the updates are not and wont be available). I think the most innovative part of it is that it copies itself to the KaZaA share folder in order to distribute itself across that network. Apart from this little twist, the only way to get the executable is through the kind of mass-emailing that has been well-understood for years. And even with the KaZaA thing youd still have to run the program.
And not only is it well understood, its been fixed in the most common email programs for years. Im pretty sure Clinton was President (or was it Eisenhower?) when Microsoft issued the fixes to prevent Outlook and Outlook Express from accepting executable attachments by default, and to prevent unauthorized programs from accessing the address book. Still programs like this continue to propagate in the wild, and I suspect that the people who have them actually have all of them and pass them around to each other.
So just how widespread is Fizzer? F-Secure has had a “LEVEL 1 ALERT” on it since Friday and Monday they issued a press release about the seriousness of the situation. Symantec also rates it in epidemic proportions.
Network Associates, on the other hand, says that the Fizz has started to go flat, although that brings the threat down from Defcon 5 to maybe a 3. The Fizzer report from Sophos says that they have “received several reports of this worm from the wild.” Sophos is typically cautious and understated in their reports from the wild. This statement makes it clear that Fizzer is out there, but it doesnt actually say that its a problem for their corporate-oriented customer base.
Finally, I checked my own antivirus logs and asked some friends of mine, and I see none of it. Admittedly none of us are KaZaA types, but I get half a dozen Klez.h messages a day. Im skeptical.
I ask again: Whats so different about this virus that it would spread as wildly as is claimed under conditions that should impede its distribution? Ive thought it over and the only thing I can come up with is that credulous KaZaA users actually run the executables that show up in their share folders. Nothing else makes sense to me; none of the other innovations in the worm are meant to further its spread, but to make it available for remote management and exploit in a DDOS attack.
And the KaZaA users must either not be running antivirus software, or they have run the infected executable before Fizzer-aware definitions showed up on their systems. Incidentally, I have noticed Norton LiveUpdate running 3 times in the last 2 or 3 days, so Symantec is hard at work on something.
Maybe well never be rid of threats like this. Users have all the tools they need to protect themselves but that hasnt stopped the attackers. It looks like the worm writers are getting smarter, and lots of users seem to be taking their dumb pills every morning.