Fizzer virus pains IRC networks

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002_3-1001601.html

By Robert Lemos 
Staff Writer, CNET News.com
May 14, 2003

The Fizzer computer virus is causing headaches for more than just its
victims.

The mass-mailing computer virus, which continued to spread on
Wednesday, nearly overwhelmed several Internet relay chat (IRC)  
networks, prompting the operators of more than 50 networks to band
together to stave off the digital infection.

"It was almost to the point of taking down our network," said Tyrel
"Nemo" Haveman, an administrator for the Mysteria IRC network. "We
noticed it first around midday in the U.S. on Monday. Within a couple
of hours, we had 500 connections." Mysteria normally has only 150 to
250 people online at any one time, he added.

The digital deluge is caused by a side effect of the virus. Fizzer
attempts to connect to IRC networks from an infected PC to open up a
communications channel that can be used to control a victim's system.  
The virus was so successful at spreading that the massive influx of
new connections threatened to overwhelm the IRC networks reached by
the program.

The IRC operators intend to make the response group a permanent facet
of the community, said John McGarrigle, the administrator for another
small IRC network, RealmNet. A new site called IRC Unity will become a
central hub for information sharing and discussion on various topics
including security, he said.

"The idea stemmed from the fact that we have just set up an IRC
security list with over 100 subscribers in the first day of
operation," he said. "We realized, after that, that we had an
opportunity there to create this information-sharing site, which will
hopefully help prevent a lot of IRC-based attacks before they get out
of hand."

The latest headache for IRC networks caused by the Fizzer virus
started spreading a week ago, according to e-mail service provider
MessageLabs. The virus took off on Monday and quickly became the most
prevalent malicious e-mail attachment, according to the U.K.-based
company's data. The company provides spam- and virus-filtering
services to its clients and has stopped more than 175,000 copies of
Fizzer at its e-mail gateway.

Fizzer--also known as W32.HLLW.Fizzer@mm and W32/Fizzer@MM--may have
taken off because it uses two different methods to send itself to
other PCs. While the virus mainly spreads through e-mail, it also
copies itself under various names to the shared folder used by the
Kazaa file-trading system. It can infect all Microsoft Windows
systems, but not computers running Linux or the Macintosh operating
system.

Charting Fizzer's symptoms

Security software maker Network Associates downgraded the virus to a
"medium" threat on Wednesday, as the number of customers infected by
the virus dropped overnight. Vincent Gullotto, vice president of
Network Associates' antivirus emergency response team, suggested that
Fizzer's success may have had its roots in a false sense of security
developed by some Internet users.

"Every once in a while, something happens to pop, because there is
something different about it or people let the guard down," he said.

The virus file uses an extension that marks it as a program file (EXE,
COM or PIF) or screensaver file (SCR).

In addition to the functions designed to spread Fizzer's infection,
the computer virus has several components intended to allow others to
gain entry to the victim's system. It will also log a user's
keystrokes and save them to a file, attempt to disable antivirus
programs, launch a Web server, open several backdoors and occasionally
look for an online server that contains updates for the worm.  
Moreover, the virus connects to one of more than 300 IRC servers and
registers itself with, and then connects to, America Online's instant
messaging system.

Those connections are what have caused so many headaches for IRC
operators. RealmNet, which normally sees 100 to 200 connections at a
time, suddenly found more than 1,000 computers connected to its
server, said administrator McGarrigle. The connections, known as
"bots" in IRC terminology, tend to congregate in chat channels of 20
or 30 virus-created connections.

"We have been banning (bots) from the network as they join," he said.

Other computer viruses, such as Deloder, have used a similar tactic.  
McGarrigle responded to the attack by identifying the channels and
shutting them down.

Mysteria's Haveman took a different tack and created a dummy server
that intercepts all attempted connections. Any user that tries to
connect to the network will be told to go to a different IRC server,
while the virus will just be stopped there.

Because the server records the Internet address of every client that
attempts to connect, the dummy server may have provided a piece of
data normally rare in virus incidents: The total number of infected
systems. Since Monday, the Mysteria server has logged more than 40,000
different Internet addresses. Some of those addresses could be the
same PCs, so the number could be lower. However, it's more likely to
be higher, as Mysteria is only one of the 300 IRC services that the
virus targets.

"They are pretty much from everywhere around the world," Haveman said.  
"It is definitely the biggest (attack) we've seen."

IRC administrators can expect more of the same, as Fizzer isn't going
to burn out soon, said Mark Sunner, chief technology officer for
MessageLabs.

"It has all the properties of a slow burner, this one does," he said.  
"While it's certainly plateauing, it doesn't seem to be truly abating
in any way."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.