IRC operators may out-hack Fizzer

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1002_3-1003894.html

By Robert Lemos 
Staff Writer 
CNET News.com
May 16, 2003

Administrators of Internet relay chat networks believe they might be 
able to eradicate the Fizzer virus, but the methods may run them afoul 
of cybercrime laws, said a legal expert Friday. 

Several postings on an IRC-Security list debated the merits of trying 
to shut the computer virus down, and one operator, QuakeNet security 
team member Daniel Ferguson, warned that manipulating the worm could 
be illegal. Despite that, he believes that several IRC operators will 
likely attempt to shut down the computer viruses running on PCs 
connected to their networks. 

"You can't really blame them," Ferguson said. "When there is nothing 
else (they) can do to solve a problem like this, then they are left 
with little choice. The worms (and) trojans not only use their 
bandwidth, costing them money, but are a danger to the general IRC and 
Internet infrastructure." 
 
Since Monday, Fizzer has been causing problems for IRC networks. The 
virus, which spreads mostly through e-mail but also through 
file-sharing service Kazaa, connects to a random chat network and 
awaits commands. The virus activity caused headaches for the operators 
of several smaller IRC networks, which typically haven't had to deal 
with such so-called IRC bots. 

Now the operators are finding ways to take out the program. Unknown 
members of the IRC-Security mailing list discovered that the virus can 
be crashed by typing a long string of characters into the chat room to 
which the program is connected. 

Another discovery was that the Fizzer virus goes to a specific Web 
address on Geocities daily to update itself with any code found there. 
No one had reserved that address, so one IRC operator did, and posted 
a program that would apparently cause the virus to uninstall itself. 
The code to uninstall the worm has been taken down, however, since 
initial tests determined that it wasn't working, according to posts on 
the IRC-Security list. 

Such measures are likely illegal under a technical reading of the 
Computer Fraud and Abuse Act, said Jennifer Granick, clinical director 
of Stanford Law School Center for Internet and Society. 

"I think it definitely falls afoul of that statute," Granick said. 
"But I don't think it will be something that will be pursued, because 
that statute is over broad." 

A member of the U.S. Department of Justice's Computer Crime and 
Intellectual Property Section refused to comment on the issue, so it's 
uncertain whether prosecutors would attempt to make a case against IRC 
operators acting in good faith. 

Sending commands that crash the worm could be legal, as long as 
shutting down the worm had no other effect on the victim's computer, 
Granick explained. In that case, the command in and of itself wouldn't 
be considered damaging code, one test for violations of the computer 
crime statue. 

"The worm is operating from the victim's computer," Granick said. 
"There is a justification for a strike back that stops an attack, but 
if it takes down the entire computer, then that would be a crime." 

Another part of the statute makes it illegal to exceed authorization 
on a computer across state lines, something that it could be argued 
the IRC operators are doing. The operators may be protected, however, 
if they can claim status as service providers. 

In any event, the network administrator aren't willing to stand idly 
by, said Ferguson. 

"The alternative is to do nothing and leave the bots to be used for 
whatever the owner sees fit." 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.