IRC operators may out-hack Fizzer

Administrators of Internet relay chat networks believe they might be able to eradicate the Fizzer virus, but the methods may run them afoul of cybercrime laws.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
Administrators of Internet relay chat networks believe they might be able to eradicate the Fizzer virus, but the methods may run them afoul of cybercrime laws, said a legal expert Friday.

Several postings on an IRC-Security list debated the merits of trying to shut the computer virus down, and one operator, QuakeNet security team member Daniel Ferguson, warned that manipulating the worm could be illegal. Despite that, he believes that several IRC operators will likely attempt to shut down the computer viruses running on PCs connected to their networks.

"You can't really blame them," Ferguson said. "When there is nothing else (they) can do to solve a problem like this, then they are left with little choice. The worms (and) trojans not only use their bandwidth, costing them money, but are a danger to the general IRC and Internet infrastructure."

Since Monday, Fizzer has been causing problems for IRC networks. The virus, which spreads mostly through e-mail but also through file-sharing service Kazaa, connects to a random chat network and awaits commands. The virus activity caused headaches for the operators of several smaller IRC networks, which typically haven't had to deal with such so-called IRC bots.

Now the operators are finding ways to take out the program. Unknown members of the IRC-Security mailing list discovered that the virus can be crashed by typing a long string of characters into the chat room to which the program is connected.

Another discovery was that the Fizzer virus goes to a specific Web address on Geocities daily to update itself with any code found there. No one had reserved that address, so one IRC operator did, and posted a program that would apparently cause the virus to uninstall itself. The code to uninstall the worm has been taken down, however, since initial tests determined that it wasn't working, according to posts on the IRC-Security list.

Such measures are likely illegal under a technical reading of the Computer Fraud and Abuse Act, said Jennifer Granick, clinical director of Stanford Law School Center for Internet and Society.

"I think it definitely falls afoul of that statute," Granick said. "But I don't think it will be something that will be pursued, because that statute is over broad."

A member of the U.S. Department of Justice's Computer Crime and Intellectual Property Section refused to comment on the issue, so it's uncertain whether prosecutors would attempt to make a case against IRC operators acting in good faith.

Sending commands that crash the worm could be legal, as long as shutting down the worm had no other effect on the victim's computer, Granick explained. In that case, the command in and of itself wouldn't be considered damaging code, one test for violations of the computer crime statue.

"The worm is operating from the victim's computer," Granick said. "There is a justification for a strike back that stops an attack, but if it takes down the entire computer, then that would be a crime."

Another part of the statute makes it illegal to exceed authorization on a computer across state lines, something that it could be argued the IRC operators are doing. The operators may be protected, however, if they can claim status as service providers.

In any event, the network administrator aren't willing to stand idly by, said Ferguson.

"The alternative is to do nothing and leave the bots to be used for whatever the owner sees fit."