White-Hat Hackers Struggle To Fix Fizzer

In the latest defensive action, the group of IRC administrators, calling itself the irc/unity project, discovered that they could send a command over IRC to PCs infected with the virus, which would cause the virus to automatically uninstall itself and stop infecting other machines, said group chairman John McGarrigle.

While Fizzer caused relatively little damage in the world at large, it did cause a lot of damage to IRC channels, McGarrigle said. Part of the Fizzer programming caused it to open a connection on IRC channels and wait to receive commands. Some 750,000 PCs were infected, and that hammered some IRC channels with too much traffic.

But now the IRC administrators believe they've found a fix.

"We have recently discovered a built-in way to remove Fizzer from a user computer. It involves sending a specific command to Fizzer from IRC," he said.

The virus also tries to phone home to the hackers who created it over AOL Instant Messenger, and by connecting to Web sites to download updates.

In an earlier attempt last week at foiling Fizzer through white-hat hacking, a member of the irc/unity project noted that nobody had ever bothered to create one of the Web sites that Fizzer was supposed to reach; he registered the URL for himself and uploaded a program that was designed to automatically remove Fizzer from infected computers. Later, the author of the program removed it from the Web, citing concerns that the program might be illegal.

The irc/unity project said it believes the new attack on Fizzer is legal.

"We believe this is not illegal because the 'bot is connected to IRC and we are just sending a specific line of text which the 'bot is expecting," McGarrigle said. "You change your nickname to a specific nickname which the 'bot is expecting and then send a line of text and Fizzer shuts itself down and removes itself from the computer."

McGarrigle runs the RealmNET IRC network, and, in reaction to Fizzer, formed irc/unity, an information and resource sharing hub site, along with a mailing list with about 250 subscribers. IRC administrators also formed the Fizzer Task force to deal with problems caused by Fizzer.

The Fizzer uninstall program is the latest step in an ongoing argument in the security community: whether it's right for white-hat hackers to release code onto the Internet that installs itself on computers without the computer owner's permission and closes up security holes and corrects security problems. Anti-virus vendors interviewed for Friday's article said those kind of benign hacks are a bad idea -- they'd be beneficial if they work, but too many things can go wrong.

The irc/unity project warned owners of systems infected by Fizzer that they should run anti-virus software to remove the virus.

"The Fizzer Task Force highly recommends that all Internet users run an anti-virus program to remove any traces that the worm may leave behind, as the uninstall mechanism in a virus is not to be trusted. If you have been infected, it is also very important that you change your passwords, as Fizzer contains a key-logging aspect which could have transmitted everything you have typed since infection to a remote site," the group said in a statement on its Web site.

This story courtesy of InternetWeek.com.