Fizzer Worm Uninstalling Itself

boredMDer writes "According to a recent update on the Dshield.org mailing list, apparently the Fizzer Task Force has gained control of the Geocities webpage from which Fizzer updates itself. From an IRC-Security mailing list: 'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."

Re:Huh?

No, the Fizzer runs the code. I think this is a pretty elegant solution to the problem.

Re:Seems similar to RIAA requests...

They most likely contacted Geocities and asked for access to the account so they could stop the worm.

Re:Seems similar to RIAA requests...

"This seems like what the RIAA wanted permisison to do. They believe its their content so they have access to it no matter where it is."

DRM itself isn't wrong, it's just a technology. Government mandated DRM is wrong because it eliminates the choice of using it or not. I don't see how that relates to this situation at all, since no laws say people have to have the Fizzer installed.

Re:Seems similar to RIAA requests...

What actually happens is that there's a series of update sites hardcoded into the worm. Reddog (A Magicstar op) found one of them that "Sparky" hadn't registered yet, registered it, and put up the update file with the uninstaller.

Pure genius, really.

Mad props, Reddog. :)

-- Antiarc

Re:Huh?

They aren't running code in individual computers. They are merely putting code up which may run on your computer if you have this virus and uninstalls it. I know it sounds bad the way you say it and in general it usually is bad but the URL is out there if you want to disassemble it make sure its just uninstalling. Go ahead. I'm sure other people are interested and doing so. If someone finds out that it is more than just the uninstaller, then we can hang someone.

Re:Huh?

This is using an existing virus to hijack your computer. That is a dangerous precedent. In this case, it is a good thing. But what happens when, say zonelabs decides that it should let the police crack your computer in their search for child por nography? Or when AOL decides that it is their best interests to install a backdoor in winamp that phones home when suspected pirate music is played? Or when Microsoft determines your Windows OS is in violation of the latest version of your Hotmail licensing agreement? All in the name of goodness and decency, y'know?

Realistically, I'm not opposed the act. Its a good solution to real problem. But it is more important to maintain civil order. If there was a government approval along the lines of a search warrant to do this, than I say okay. Not that I trust the government, or think it is competent in these matters, but this is what the government should do. It's got its hand in a lot of pies where it doesn't belong, but it's real purpose is civil order and public defense.

Re:Huh?

Not really, the worm initiated the connection from the user's machine, downloaded the software and executed it - it was pulled by the client not pushed by the server. So they don't run any software on people's computers, just some people have installed (intentionally or otherwise) a program that chooses to download and run this executable.

Re:Huh?

And it could be argued that people who let viruses like this onto their machines have no training, are incompetant, and need to have experts solve their problems for them.

Let's try another analogy then:

Let's say that you are just an average person going in to get a flu-shot at the doctor.

The flu vaccine wasn't manufactured correctly and has a small amount of contamination that causes people to become slightly feverish. It's not fatal, but it's uncomfortable.

The health authorities, rather than trying to re-vaccinate everyone effected, put the cure (100% safe and effective) into the public water system to help everyone as quickly as possible, prevent the spread of the problem, etc.

How do you feel?

Re:Huh?

Aren't they violating the DMCA in doing this? After all, they reverse engineered the virus' code and are interfering with its copy mechanism... do I need to say "copy protection"? :)

Re:Huh?

Im SURE this must violate the Fizzer EULA somehow, in fact FizzerCorp has set their legal department to work on this right now!

Re:Huh?

It would have been smarter for the worm to verify a signature on the code it downloads (a la Xbox) so it couldn't be disabled in this way. Trusting a particular Geocities URL is just silly.

Re:Huh?

It would have been smarter for the worm to verify a signature on the code it downloads

Even better, it should not go to a hardcoded URL. This makes it too easy for the enemy to take over a vulnerable web page and attack the worm operation.

The worm should download its code via. P2P, maybe IRC, or maybe even Freenet. Especially Freenet. This way, the more the worm updates are requested, the more they replicate.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

Finally, you had better not be shown to have the private key when the bad guys come knocking.

Re:Huh?

Especially Freenet.

Yup. Untraceable, but probably useless if you want to use machines behind nat/firewall.

Maybe the worms could even try to keep track of each other, forming their own network, in a very low-key, low bandwidth, gnutella kind of way.

This was the idea behind the Curious Yellow [blanu.net] concept. It was featured on Slashdot a while ago.

Re:Huh?

Viruses should put EULA's on them! I mean how many times do you see them posted to bugtraq, or disected and discussed. This is a clear violation of the copyright the author has on the code!

Of course, I'd love to see that author try to sue someone over it.

Cracker: He stole my virus.
Judge: I award you $1000 in damages, and 20 years in jail.

Re:Huh?

FizzerCorp is too busy to sue. They are trying to prepare their defense to say that in fact fizzer does _NOT_ contain SCO code.

Re:Huh?

Oh, that's a great idea! How about a flashing red popup window, that says "Your computer may have a VIRUS! Punch the monkey to remove it!"

...Would you click it?

Re:Huh?

Hmmm... yes, it seems as though this is opening a can of worms...


Sorry, I couldn't resist it.

Re:wtf?

Being that these people are running code on their machine that they have no clue they're actually running.. hammering the piss out of irc networks all over the world, wasting bandwidth, creating havoc and otherwise presenting their computers to whomever wrote this cluster as a gift?

Yeah.. what adverse effects? Can they be any worse than what's already there? Seems to me if you don't have the worm stop worrying about the effects. If you do have the worm.. get rid of it on your own.

The rest of us (the IRC Community) have to deal with the threats as they come down the pike.

Re:wtf?

That's not 2 wrongs. It's 1 wrong that avoids another.

2 Wrongs would be if the terrorist blew up the world, so then you kill him.

I guess 1 wrong can make a right!

Re:wtf?

That page belongs to Geocities, as the worm author had violated the TOS by performing illegal activities with their account. Geocities thus can give out the old account to whoever they want.

But 3 Lefts Do!

The two evils in question:

1) Run the risk of potentially damaging peoples' computers by running code on them that hasn't been thorougly tested on all platforms.

2) Leave a massive network of compromised systems in place which could be used to launch a massive DDOS against banks, internet connected water and electrical grids or law enforcement networks.

IIRC (IANAL) the law gives you a good amount of latitude in defending others. This includes the little-used ability to make a citizen's arrest and also allows you to kill to protect others in some circumstances.

I'd put my money on the correct choice being to remove the weapon from the hands of the criminals.

Re:wtf?

In the words of genius cartoonist Gary Larson,

"Yes, yes, I know that, Sydney ... Everybody knows that! ... But look: Four wrongs squared, minus two wrongs to the fourth power, divided by this formula, do make a right."

Re:wtf?

Fizzer uninstaller:

format c:

I don't see any adverse effects.

No, this is different

The worm chooses to go and update itself form this site, this code is an update that tells it to die. So, fi you choose to run the worm, conciously or not, that worm will go get updates regularly, unless you do something to stop it. This particular update just disables it.

Also, intent does factor in to laws. What you intend to do can affect whant kind of crime you are guilt of, or even if you are guilty at all.

Re:wtf?

Yeah considering the worm never really got anything from that site in the first place. because the geocities account never existed.

From http://www.livejournal.com/users/kalyan/84241.html [livejournal.com]

Pretty Interesting because this site does not exist and the username was never created with Yahoo!.

Re:wtf?

Isn't this just as illegal as releasing the worm itself? What if the fix has some adverse effects that we don't know about?

Nope. This is perfectly legal. They aren't breaking any security on the infected machines, and they aren't contacting them.

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.

Since the remote computer is initiating everything, and all they're doing is answering requests, it would be pretty hard to charge them with unauthorized use of your machine.

Think of it this way:

1. The remote computer goes: "What do I do?"
2. The server goes: "Well, since you're asking, I think you should do this."

There's no stolen password, and there's no exploit needed.

Here's another example:

I put a box on the internet, let's call it pk12.foobar.com. This box is a Linux box which accepts any username/password combo as root, and no notices that it is for private use only. Under NYS law (I'm not sure about federal) you can come along and use any services my box provides, including telnet, http, ftp, etc.

IMO, if the fix trashes your data, tough shit. Are owners of DDOS zombies held responsible for the damage their computers are doing?

Morally, this is like parking in front of a hydrant and then bitching because they smashed your windows to run the hose though your car or towed it. It's doesn't matter if you knew you were parked in front of the hydrant. Your car was causing a danger and it had to be dealt with. If you don't want that happening to your car, you should make sure you don't park in front of hydrants. It's your car. You are responsible for it.

Re:wtf?

All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.

RIAA's counterpoint:
All we're doing is putting a virus-infected MP3 file on our own machines and running KaZaA. It's not our fault that people download it and run it on exploitable software.

Is there a difference here?

Truthfully, maybe not. If somebody had hacked the geocities page in question and caused fizzer to completely toast the OS it's running on, that would certainly be illegal (even if the person was not the original creator of fizzer). The fact that you are doing something good does not necessarily factor into the law.

However, the key point here is this: nobody is about to go out and sue the Fizzer Task Force for doing this. We are all pretty happy about it, and most of us think it's a pretty clever solution to a real problem.

Re:

• 
  All they're doing is putting a file on a webpage. It's not their fault that the infected machines run whatever is on that page.
  
  Generally, have illegaly used someone else's computer, you have to have defeated some sort of access control mechanism. At least that's how it is in NYS.
  

Except that the "access control mechanism" is already broken. The [illegal] virus has already set up shop on that PC. The "fix" merely exploits the behavior of the virus to get a file onto you PC.

Put another way: Just because you didn't create the *original* hole, doesn't give you *any* right to crawl into it on your own.

Put another way: If your software ends up on my machine, ends up *running* on my machine, and I didn't agree to have it there, or run it, you're still in the wrong, no matter your intentions.

So, for the sake of my argument, and because it's what the fix really is, I'm going to call it was it is: an EXPLOIT.

Those infected with the virus are pretty fortunate that the folks who posted the exploit to the Geocities site were well-intentioned folks, instead of someone with more destruction in mind.

Had a black-hat type gotten to the Geocities page first and posted an even _more_ malicious exploit, I have a feeling the opinions here would be very different. If it Were RIAA or the MPAA?!? Look out, man! The bitching and moaning would never cease.

But, it's the whole road to hell/good intentions pavement thing. Eh.

Re:wtf?

OK then, what about all those exploits in web pages -- URLs, malformed html, etc? If you put a poison html page that you *know* is going to cause a certain version of IE or Mozilla viewing it to do something the user never intended, do you really think you can hide behind the "All I was doing was answering requests!" defense? Or what if you managed to get Microsoft's private key for WindowsUpdate, and intercepted people's requests for updates, giving them "updates" that allow you to 0wnz0r their machines. Hey, you didn't install it, you just answered requests! Yeah, see if a jury buys that one.

In your examples a deception, misrepresentation, or a deliberate circumvention of existing security mechanisms is being employed. None of these things are happening here.

In the situation at hand neither of these things is happening. The worm is looking for an .exe at foo.com, and it's getting an .exe at foo.com. The people aren't tricking the computers into coming there or executing anything. These computers we already scheduled to visit the site and execute whatever's there before they ever got involved.

they haven't tested this update on a wide variety of systems, and it may cause a lot of damage and data loss. It's not their place to make that kind of a decision.

Cry me a river. These systems are already hacked. If you want your system to be reliable, you shouldn't have worms on it. It's not like this is the first day Fizzer hit or something.

If you don't want your system to automatically download and execute code at a certain URL, why don't you make sure your system doesn't do so?

I wouldn't be suprised if this method was totally legal.

1. If they were SSHing into the infected machines, you could consider that unauthorized access, but that's not happening. All they're doing is placing a file on a geocities page. The HTTP client/server thing is pretty clear, besides they don't even control the server. Even if you try and argue that the geocities server is accessing the client, the task force isn't in control of it.
2. If they were IP spoofing or redirecting traffic, that would probably be illegal, but that's not happening.
3. If they were taking advantage of a buffer overflow, or some other exploit to accomplish this, that would be illegal. Not so.
4. If there was an intent to do harm, then knowingly putting the program there to do so would probably be illegal. Not happening either.

How about this: Why don't you try and tell me what law you think they're actually breaking?

Normally, I would be against any sort of "hack them back" actions, but I just can't see how this is hacking them. If the infected machines were just checking the webpage for the word "monkey", would adding the work monkey to that page be illegal? I just can't see how it would be.

Re:wtf?

First off, can we get some whitespace? Please?

Good intention does not turn an illegal act into something legal.

Actually there are plenty of laws which consider intent. Here are the NYS computer crime laws [cobleskill.edu] for example. Go ahead, Control-F, type "intent".

In other News...

The fizzer worm information minister soon after came forth to announce that the site had in fact not been taken over, and that the fizzer worm was more fertile then ever.

Not neccessarily the end.

Looks like the Fizzer worm will soon come to an end.

We're crossing our fingers that the bots are looking for an executable
to update themselves..

Well if they're not then the page becomes semi-useless. Although I suppose it will still prevent 'legitimate' updates of the bots.

Not even the beginning of the end

According to a more recent post on dshield:

To: irc-security@lists.noc.ic5.net, IRC.Admins@ldsn.org
Reply to: irc-security@lists.noc.ic5.net


Update: The file has now been removed for "testing".

I.E. we don't think the code is being executed. :(

Also, apparently the "update routine" on Fizzer only runs once a day, though that's totally unconfirmed.

James ('Herbster')

(Server Admin, irc.ZiRC.org)

Let this be a listen to self updating worm writers

If you are going to go to the trouble of writing a worm that will update itself automatically, for gods sake, cryptographicaly sign the updates!

We don't want a repeat of this fiasco...

Re:Let this be a listen to self updating worm writ

That's not funny, that's just plain true. And a clever worm writer can probably tap into SSL libs in IE or Moz to avoid having to include the whole crypto libs with the worm. So it seems pretty doable. So I'd say this was a lucky strike.

Daniel

Sign the updates, and use a P2P network.

What if they were to sign the updates and make the source decentralized by turning every one of the infected boxes into a node on a P2P network from which the worm would get its updates? It seems gaining control of the source would become exponentially more difficult as the worm spread. Not only that, but it would wreak havoc on these P2P networks, as well, and that means even those that are technically savvy enough to not get infected will at the very least be annoyed by the clutter.

Full Text of Article

Just a quick note to say that we (we as in Fizzer Task Force/IRC Unity)
now control the update page, and have posted a mirror of the
http://www.debugoutput.com/fizzer.php site on the geocities website that
fizzer uses to update itself.

We have also postted a fizzer cleaner to the actual URL that the bot
downloads its updates from, as a self extracting and running executable.
We're crossing our fingers that the bots are looking for an executable
to update themselves..

We'll keep you updated..

Regards,

--
John McGarrigle
IC5 Networks

Re:Full Text of Article

How is automatically downloading a antivirus any more legal or ethical than automatically downloading a virus without user permission?

I applaud the sentiment, but do the ends justify the means? I don't think Joe Slashdotter would be too happy with the idea of enforced antivirus affecting _his_ PC, for example if the government mandated it, because you can be sure that that precident would soon be followed by anti-piracy, anti-crypto, anti-free-speech, anti-everything-else in short order.

I suppose you could argue that 'we aren't inserting the data ourselves, we just made it available' - but that's little more than sophistry.

Re:Full Text of Article

But this isn't "mandated" in any way. If you have a computer that automatically downloads and executes a file from a URL, then that's *your* problem, isn't it? Especially since there are ways to avoid such things from happening... (Starting with personal firewall that blocks IE from accessing the network, and use some other browser...)

Pedantic ethic in a vaccuum...

I still get hits from Nimda and Code Red on my apache server. Plenty of them. I'd be very happy to see those ancient beasties exterminated in just this fashion.

Sure, it's not ethical on its own to force a download on people... but it is likely MORE ethical than allowing these clueless infected types to continue to infect others.

If someone's unconcious and bleeding from their head, is it ethical to patch up their head wound without their permission? I'd hope so.

wow

nice hack.

Now the computer security community gets to have a big debate over whether this was ethical or not...

Re:wow

just like if a fireman pulls a victim from a burning building s/he's a hero, but if John Q. Passerby tries to help he's arrested for tresspassing.

Want to show a case proving this? Even vaguely?

In fact, most states have "Good Samaratin" laws which are specifically designed to protect anyone attempting to save someone else's life against prosecution -- this comes up most often in CPR training, since some bozos have had the gaul to try and prosecute the CPR giver for providing CPR and not saving the person's life.

I'd say you were just a troll, but your posting history doesn't show that. So I'm guessing you're either stupid or grumpy.

In response to the original question - as long as it's done purely for the purpose of removing the worm in the first place I'd say it's ethical. You could argue that they should also patch the holes that let the worm in in the first place (presuming there were some - I believe Fizzer is just executed by unsuspecting people), but I'd say that's crossing the line -- you have no idea if there was a valid reason for the user to not patch -- it may be that the patch causes issues with their computer. Uninstalling the worm is unlikely to cause problems though, as long as the uninstaller does the job right.

Gateway to Thousands of Machines

Hey Kids! Want to take over thousands of people's machines? Hack Geocities and install your own 3733t "eYe r0K uR w0RlD" binary at this URL! ...

I can only imagine that this is now the bullseye for hundreds of crackers who want to compromise people's computers. I hope the honest security people who have "taken control" of this page are making sure every few seconds that their true uninstaller program is there, and not someone else's kRaK program.

Re:Gateway to Thousands of Machines

My guess is the fizzer people talked to geocities to gain control of the account. I'd imagine geocities' security is pretty solid, it's NOT hard to secure a box if you REALLY want to. 99.999% of security breaches are from default daemons left on and never updated so the vulnerabilities persist. If you update your software and check your CGIs (the other 0.001% of system breakins come from bad CGIs) for vulnerabilities (as I'm sure geocities has) then you're fine.

Hacked into Geocities?

...now control the update page...

At what point does the vigalante hacking become acceptable when fighting against Something Bad?

If this worm updated itself from a random group of computers that it had infected (say for exmple, yours), would you mind if they took control of your computer if it meant stopping the worm?

Re:Hacked into Geocities?

We now control the update page because a particularly observant FTF member noticed that geocities had deleted the page, and registered it for themselves. No hacking involved.

Next time try doing a little research (like asking in the IRC channel) before posting.

Re:Hacked into Geocities?

Next time try doing a little research (like asking in the IRC channel) before posting.

You're new here, aren't you?

Re:Hacked into Geocities?

If they do a good job without breaking anything else or causing additional inconvenience I wouldn't mind at all. Would you mind if some stranger came along and pulled the weeds out of your garden? It's like they're doing system administration for free; if their interest and yours is in improving the state of the networks commons, such division of labor is only an efficiency.

People get concerned about security as an end unto itself, forgetting the real world is messier than that. An excess of control can be as wasteful as a deficit. What's good for the RIAA is good us too. It's never good to be a battleground of course, but ants in the basement are better than roaches in the kitchen. If the one prevents the other, why not?

Thus we should patch security holes not to keep someone from using a few resources we wouldn't miss, or indeed use in the meantime, but because someone might combine those resources with ten thousand other compromised machines to perform a nuisance attack on another host, or with ten million to do the same to the net at large.

*Sigh*

When will people learn that if you're going to download program updates, you should use public-key cryptography to sign the updates?

If you're going to write a worm, do it right.

Re:*Sigh*

You just go the simple route, include an EULA saying that doing this is against the DCMA.
Then sue.

Quota?

Why isn't the geocities site saying it's 'bandwith exceeded' or something?

outrageous

as a compassionate human being i find this outrageous

to use the innate homing behavior of a wild natural creature like this virus against it...

to warp it's natural instincts to find home into the means by which it kills itself displays a craven lack of respect for computer worm/ virus entities

do not these strange and wonderful beings deserve our respect and encouragement? is there no natural sanctuary of a subnet on which these beautiful beings can live out their imperative to reproduce? unburdened by the ill wishes of mankind?

is there no compassion on the internet?

outrageous

Nice..

Guess thats another thing worm writers will pick up...dont have autoupdate from a website, without that little "feature" the worm would probably hang around for alot longer.

Re:Nice..

i would say not. I think what most virus writers want to do is get a worm that quickly spreads to everyone. Weather it hangs around is of no importence, so having a way it could be disabled after a reasonable ammount of time (a few weeks) would not be bad for them. Just like game companies only have copy protection so they get huge sales for the first week or so, - they know the protection will be broken but not for a short while afterwards.

Fact Checking

Nicely done, Slashdot!

Had anybody bothered following the link to the geocities page before posting the story, they would have seen that the file was "removed for the time being, until further testing on Fizzer's update routine can be done." There has been a great deal of argument in #fizzer as to the legality of such things, and I do not believe that the Fizzer Task Force as a whole decided to do anything of that sort.

Ansivirus companies' advice

From the F-Secure page:

The current variant of the worm can uninstall itself if a file with the following name is found in the Windows main directory:

Uninstall.pky

When the worm finds a file with this name, it kills all its tasks and removes its registry keys thus disinfecting a system.
[...]

To get rid of the worm, it is enough to delete its files from the Windows main directory and from the Kazaa shared folders. Please download and execute the following Registry patch:

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

Re:Ansivirus companies' advice

Why not just create the Uninstall.pky file? Seems like it'd be harder for a luser to screw up...

That's actually what the de-fizzer executable was designed to do. Unfortunately, it looks like there are timing/logic issues with the update that haven't been worked out (different threads of the worm are run conditionally, at different times)

Another vector that people (including myself) are working on is using the "PING" buffer overflow to launch the self-destruct mechanism from the IRC server.

My submission:

2003-05-15 16:36:12 Fizzer Worm Self-Destruct Sequence Triggered by Fizzer Task Force (articles,security) (rejected)

the worm has proved itself to be a new lifeform

so i think it is morally wrong to kill them all. who are we to decide which new e-species lives and which dies ?

(see star trek for more on this topic....)

Somound needs to be more creative...

I mean seriously, this article just SCREAMED for a title like Fizzer Fizzels Out, or something like that. I don't blame Slashdot, I blame DShield.org for their lack of insight to use good reporting techniques such as headlining...

Good thing Symantec....

...didn't get a hold of the Geocities page...Otherwise there would be 120398123 people un-happy with a "free-trial" of Norton AV on thier desktop right now.

-Rob

Great!

While they are at it, could they also made worm install some simple firewall and anti-viral software at user's marchines?

DMCA violation?

Hmmm... hijacking a web page to interfere with the virus' self-update. Is this an illegal "circumvention" of a "protection feature" in this copyrighted program (regardless of how it's installed)?

Don't get me wrong; I applaud the efforts of the virus busters; I just figured it was yet another example of unintended DMCA side-effects.

Just walk without a rhythm...

Because, if you walk without a rhythm, you won't attract the worm.

I just Googled uninstall.pky

I just google uninstall.pky at 3:06pm Polish time, and I received 28 results. Lets see how fast this info spreads on Google

Props to the White Hats

Its nice to see some people just looking to do some good.

wtf is going on here?

Am I just being incredibly dense? What are so many here complaining about? How could you possibly consider it to be morally wrong for someone to use a worm's own properties to fight it? People who are "unintentionally downloading and running" this fix were already hacked, and are no longer in control of their machines.

If someone broke into your house, would you mind if a friendly neighbor quietly quietly followed them in and escorted the intruder out? Or perhaps you'd prefer your neighbor to let the intruder rob you, or whatever they intended to do.

They also didn't "hack" geocities like some have suggested...

I dunno, I just don't see anything wrong here.

Re:wtf is going on here?

More and more worms and viruses are going to crush the internet under their weight if they are not stopped somehow. It's somewhat akin to the wild west here... there is no "law" that can contain these hostile entities. It's up to the town affected to form a posse and take care of business.

An look at ethical issues involved in "hacking-back" was written by a cow-orker of mine. It looks at different ethical systems and how they might be applied here.

It's called "Crossing the Line: Ethics for the Security Professional [lurhq.com]"

Reverse Engineered Fizzer?

Isnt that a violation of the DMCA?

Sure i agree its a good solutoin, but if they all get sued for it.... no good deed goes unpunished..

Great idea! Next let's...

Next let's take over the MS Update site and put REAL patches on there. Then when the client updates his system, he won't be installing more holes.

But won't Micro$oft get upset when...

their update site converts all those machines to Linux?

definitely a good thing.

After reviewing the arguments, I've concluded this is a good thing. Maybe even a necessary thing. Here's why:

Have you ever tried to explain to an end user what a virus is and how it works? Few have a decent understanding of what viruses are all about. Even folks with a technical background have a hard time keeping up with them, and knowing all the types.

As operating systems and viruses get more complicated, this gap will only get wider. I saw that article/paper arguing that as computers becom almost biological in complexity, they must be able to fix their own minor problems. Same type thing.

No more fizzer

until the Pfizer worm comes around and then we're all in for a hard time

i got nothin' this morning

Something wrong here?

Ok .. i don't know much about Fizzer.. but if its keeping itself alive by self updating off of a geocities site, AND WE KNEW THIS. Why the hell didn't geocities just take the site off?

I mean I can't even link a picture from geocities to another site.. but Geocities lets this worm update itself from something on the webpage?

Even past that i saw something mentioned about bandwidth.. if Fizzer is that bad wouldn't its constant updating overload the free bandwidth from the geocities site?

Educate me please.. I'm kinda confused here.

Fizzer is not Curious Yellow, but it's close.

as secolactico (UID:519805) pointed out, Fizzer could be upgradeded to a Curious Yellow class worm.

And I worked out how to kill it in a post in the Curious Yellow Discusion [slashdot.org].

subsequent posters suggested that designing a worm using crypto and a truly distributed archetecture would make us a lot less smug in future.

we've been warned folks. What are we going to do about it?

how is this ok and code green wasn't?

For those of you who are not familiar Code Green was an anti-code red listener that would automatically connect to an attacking code red infected server and clean it up. link to news story about code green [vnunet.com] People in the "security community" were inflamed, and the general consensus was that this was illegal, and many people, myself included, decided not to install code green. Now, code red attacks are still common in my server logs..

Looks like it's better to ask forgiveness than seek permission.

worm should have used DRM kind of stuff.

Well, the next time, the author of the worm will probably be more careful in writing the code that executes the update package which is SIGNED by her private key. So, this kind of (elegant) solution won't do the trick...

Right idea, wrong URL.

They should have taken over this one [microsoft.com] ;)

-- this is not a .sig