[ISN] IRC operators may out-hack Fizzer

From: InfoSec News (isnat_private)
Date: Sun May 18 2003 - 23:36:11 PDT

  • Next message: InfoSec News: "[ISN] More Jobs Than Security Clearances"

    http://news.com.com/2100-1002_3-1003894.html
    
    By Robert Lemos 
    Staff Writer 
    CNET News.com
    May 16, 2003
    
    Administrators of Internet relay chat networks believe they might be 
    able to eradicate the Fizzer virus, but the methods may run them afoul 
    of cybercrime laws, said a legal expert Friday. 
    
    Several postings on an IRC-Security list debated the merits of trying 
    to shut the computer virus down, and one operator, QuakeNet security 
    team member Daniel Ferguson, warned that manipulating the worm could 
    be illegal. Despite that, he believes that several IRC operators will 
    likely attempt to shut down the computer viruses running on PCs 
    connected to their networks. 
    
    "You can't really blame them," Ferguson said. "When there is nothing 
    else (they) can do to solve a problem like this, then they are left 
    with little choice. The worms (and) trojans not only use their 
    bandwidth, costing them money, but are a danger to the general IRC and 
    Internet infrastructure." 
     
    Since Monday, Fizzer has been causing problems for IRC networks. The 
    virus, which spreads mostly through e-mail but also through 
    file-sharing service Kazaa, connects to a random chat network and 
    awaits commands. The virus activity caused headaches for the operators 
    of several smaller IRC networks, which typically haven't had to deal 
    with such so-called IRC bots. 
    
    Now the operators are finding ways to take out the program. Unknown 
    members of the IRC-Security mailing list discovered that the virus can 
    be crashed by typing a long string of characters into the chat room to 
    which the program is connected. 
    
    Another discovery was that the Fizzer virus goes to a specific Web 
    address on Geocities daily to update itself with any code found there. 
    No one had reserved that address, so one IRC operator did, and posted 
    a program that would apparently cause the virus to uninstall itself. 
    The code to uninstall the worm has been taken down, however, since 
    initial tests determined that it wasn't working, according to posts on 
    the IRC-Security list. 
    
    Such measures are likely illegal under a technical reading of the 
    Computer Fraud and Abuse Act, said Jennifer Granick, clinical director 
    of Stanford Law School Center for Internet and Society. 
    
    "I think it definitely falls afoul of that statute," Granick said. 
    "But I don't think it will be something that will be pursued, because 
    that statute is over broad." 
    
    A member of the U.S. Department of Justice's Computer Crime and 
    Intellectual Property Section refused to comment on the issue, so it's 
    uncertain whether prosecutors would attempt to make a case against IRC 
    operators acting in good faith. 
    
    Sending commands that crash the worm could be legal, as long as 
    shutting down the worm had no other effect on the victim's computer, 
    Granick explained. In that case, the command in and of itself wouldn't 
    be considered damaging code, one test for violations of the computer 
    crime statue. 
    
    "The worm is operating from the victim's computer," Granick said. 
    "There is a justification for a strike back that stops an attack, but 
    if it takes down the entire computer, then that would be a crime." 
    
    Another part of the statute makes it illegal to exceed authorization 
    on a computer across state lines, something that it could be argued 
    the IRC operators are doing. The operators may be protected, however, 
    if they can claim status as service providers. 
    
    In any event, the network administrator aren't willing to stand idly 
    by, said Ferguson. 
    
    "The alternative is to do nothing and leave the bots to be used for 
    whatever the owner sees fit." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon May 19 2003 - 02:08:51 PDT