The Fizzer worm has just passed the year-old
Klez worm in terms of overall infections during the last month, according to antivirus company
MessageLabs. Obviously, Fizzer is a very real threat. It aggressively opens your computer to remote access and has already brought several IRC networks to their knees. It also lays the groundwork for a possible large-scale Internet-based attack in the future.
Though IRC administrators have come up with a way to contain Fizzer, I see this as only a temporary reprieve. Fizzer and other worms like it will find a way to survive.
Kazaa-lurking worms
Fizzer is not the first worm to use Kazaa; last year's
Duload and
Benjamin did, too. Like these other viruses, Fizzer disguises itself as a music or video file within the file-sharing network. If you have the Kazaa application installed on your computer and happen to download an infected file, your system will likely become infected.
Once infected with Fizzer, your computer becomes riddled with security holes that allow others on the Internet to gain access to your personal data. One of these exploits, a Trojan horse, allows malicious users to save all of your keystrokes--possibly capturing your passwords and or credit card numbers--then broadcast that information to others on the Net.
Fizzer disguises itself as a music or video file within the file-sharing network.
|  |
|
Like the recent
Deloder worm, Fizzer also attempts to connect to IRC networks from your PC. Last week, the virus created so many new IRC connections that it threatened to overwhelm
several IRC networks. One such network, which normally sees 100 to 200 connections at a time, suddenly found itself with more than 1,000 virus-infested computers connected to its server.
IRC administrators are fighting back. Last week, a group of them created the
Fizzer Task Force. Knowing that Fizzer automatically updates itself via GeoCities servers, the task force found those servers and changed the update code. Now, when a Fizzer-infected PC contacts the servers, the code that's supposed to update the worm uninstalls it instead.
This, of course, opens up a debate over whether the task force should be running code on other people's machines without their knowledge. I, for one, think it's wrong. Whatever your opinion on the matter, the technique is not foolproof. Virus authors need only encrypt their update code to avoid this type of meddling.
Persistent little bugger
What differentiates Fizzer from other viruses is how aggressively it tries to open your computer to the outside world. Fizzer creates its own remote console on an open TCP port to listen for outside communications. It contains an HTTP server, which displays information about the infected computer--such as its system time, OS version, and usernames and passwords for IRC and AOL Instant Messenger--to outsiders (namely, the virus writer or other malicious users). And Fizzer doesn't just bring Trojan horses to your computer, it also provides a means for outsiders to install other Trojans on your PC without your knowledge.
|
If you don't yet have antivirus protection, what's stopping you?
| |
|
Though it hasn't happened yet, I believe a worm like Fizzer might eventually be used to carry out a large distributed denial-of-service attack. By infecting Windows computers worldwide and maintaining active communications with those machines, the virus writer or other malicious users could, in a short amount of time, enlist those machines in a more damaging viral assault.
While good firewall software is an excellent defense against this type of activity, recent worms such as Fizzer have attempted to shut down antivirus apps (some of which come bundled with firewalls). The sure way to protect your system, of course, is to update your antivirus signature files to block Fizzer before it becomes active on your desktop. If you don't yet have antivirus protection, what's stopping you?
Are the Fizzer Task Force's actions justified? Why or why not? Have you ever been infected? What happened? TalkBack to me!
