Wednesday, May 14, 2003

Fizzer Hype

Following is a summary about the Fizzer worm that I've built from various sites. (The summary is aimed more at the service provider or corporate level but you get the idea.) At first glance it's pretty scary (which is why the media liked it) but if you look closer there are very easy-to-perform methods of blocking the worm.

Fizzer is a mass-mailing worm that also attempts to spread through P2P file sharing. It contains an IRC backdoor, a DoS attack tool, a key logger, an AIMbot, an anti-virus killer, a built-in SMTP engine and a built-in web server.

Once the worm has infected a machine, it attempts to connect to Geocities to obtain updates (supposedly Geocities has already disabled the site). The worm scans for e-mail addresses in the Windows address book, Outlook contacts, cookie files, temporary Internet files, and the current user's personal folder and randomly manufactured addresses. It is capable of spoofing the "From:" address in any mail that it sends out. It is capable of using it's own SMTP engine or any of several hundred external mail servers (an open relay list?).

The IRC backdoor connects to one of over a hundred IRC servers. A very extensive list of the IRC servers it can connect to is available at the BullGuard link below. It has been reported that the worm spouts miscellaneous drivel in the IRC channels such as:

   the horribly bad wealth
   Hate is beauty. :)

This may be the same strings that are used in the subject lines of the mass mailings. The links at the end of this document list those possible strings.

The default port for the web server is TCP port 81. The web server acts as a command console, displays various information about the infected machine and allows various of the attack commands to be executed.

The default ports for the IRC backdoor include TCP ports 2018-2021. This allows remote control of the infected system.

Signs to watch for at the NOC level:
- abnormal increases in mail traffic
- attempts to connect to IRC ports (TCP 6660-6670) (This should already be blocked at the premise router
- attempts to connect to AOL IM services (TCP port 5190)
- active searches should include network scans for services listening on TCP ports 81, 1214, 2018, 2019, 2020, 2021

Recommendations for minimizing risk of infection:

- block outbound IRC traffic
- block outbound AOL IM traffic
- block outbound Kazaa traffic
- log all high-port to high-port traffic. Review logs on a daily basis. High port to high port traffic should be tested to determine if it is Kazaa-based.
- ensure the proper anti-open-relay configurations are applied to all mail servers and e-mail handling systems
- employ visual metrics so that NOC personnel have an idea of what "normal" and "abnormal" traffic looks like.
- use the most recent anti-virus scan engines and signature files

One of the difficulties with the above is the recommendation of blocking KaZaA traffic. While TCP port 1214 is the default, KaZaA is capable of using dynamically assigned ports. This means that NOC personnel will have to monitor high-port to high-port traffic and test anything that looks suspicious.

Systems affected: Win95/98/ME/NT/2K/XP



The McAfee link above has a good analysis of the worm.

No comments:

Post a Comment