Lessons from the Fizzer worm

Computer security analysts are warning about a new destructive Internet worm called Fizzer, that was first seen in early May. Fizzer can evidently delete antivirus programs and open backdoors, which could allow an attacker to seize control of your computer and record keystrokes. If this worm lets attackers record keystrokes, they could, of course, discover the passwords to your PGP keys and foil your efforts to encrypt data.

Analysts say Fizzer is being spread via the Kazaa P2P network, and is being brought into corporate networks by those engaged in clandestine file trading at work. Certainly file-trading networks are an efficient way to spread worms and viruses, especially those that affect Windows systems.

But it’s important to point out that the Fizzer worm is also spread via Microsoft Outlook, AOL Instant Messenger and IRC, as well as Kazaa. Despite the fact that Microsoft Outlook has a long history of spreading worms and viruses, file trading has become the focus of concern for the spread of Fizzer. But instead of viewing this incident as another reason to demonize file trading, let’s keep this worm in perspective. The most recent reports indicated that Fizzer was dying out. The 150 companies Symantec reported as being hit by the worm acknowledged that it did not necessarily come into their network via P2P programs.

Nevertheless, P2P programs use port hopping capabilities to sneak through corporate firewalls and are hard to block and detect. This makes it easier for people to use them at work despite corporate network policies. Even if they can be used clandestinely, file traders should consider the havoc that a worm like Fizzer could have on their workplace computing environment and trade files only on their home machines. They should also lean on those who design P2P clients to develop more of them for free operating systems. Those who run Linux distributions are somewhat less vulnerable to worms and viruses than the Windows operating system that most people are stuck with at work.

In the meantime, companies such as Check Point, Internet Security Systems, St. Bernard Software, Symantec and Websense have entered a sort of P2P arms race developing products to detect, monitor and lock out fast changing P2P software. Any company who assures users that they have a long-lasting magic bullet is probably fibbing. Most such software is only good for a discreet window of time until another more clever P2P program comes along. The recent software used by the FastTrack P2P technology is encrypted which makes it harder to defeat.

Websense says it has a gateway appliance that can monitor and filter for P2P traffic and Check Point’s SmartDefense component in FireWall-1 detect and blocks this activity. Both companies say the better strategy is to halt P2P use on the desktop with their client software that scans and blocks unauthorized applications. Corporate file traders should remember that the company owns the machine they work on. The court have long backed up the right of employers to fire employees for misuse of corporate computing, and the software to catch them is getting better.