Josh: 00:00

Back in 2003, I can still remember my first experience with peer-to-peer file sharing.

00:06

I had downloaded and installed a program called LimeWire on my blue Dell Inspiron 1100.

00:13

Suddenly, it felt like a whole world was at my fingertips.

00:16

All the CDs I owned, and way more, were now in digital format just waiting to be downloaded.

00:23

Of course, back then, downloading a single song could take an hour or more,

00:27

but still, there was something magical about it.

00:30

One thing that sticks out is how I noticed some song files were way smaller than others.

00:36

A typical song back then was around 2-3 megabytes,

00:39

but I'd see some files that were just 300 bytes, only a fraction of the size they should have been.

00:45

I wondered to myself how that was even possible.

00:50

Computers were still relatively new to me at the time, so I figured, why not?

00:54

I downloaded one of the smaller files, thinking it'd finish faster, and it did.

01:00

Way quicker. I double-clicked to play it, but instead of hearing music, a black window flashed

01:06

on my screen, and then... nothing. My stomach dropped. I didn't know exactly what just happened,

01:14

but I knew it wasn't good. I took a closer look at the file, and that's when I saw it.

01:20

The extension was .exe. Not a song file at all. It wasn't until I came across the Fizzer Worm from

01:28

2003 that things started to make a bit more sense. From peer-to-peer file sharing,

01:34

to key loggers and back doors, on this episode of In The Shell.

01:58

Thank you.

01:58

02:00

has caused this outage.

02:01

That it takes you longer to do something

02:03

by putting it into a computer and calling it up again

02:05

than if you just kept simple records yourself in the house.

02:10

Fizzer was first discovered on May 8, 2003

02:14

by a company named F-Secure.

02:16

They're a global security and privacy company

02:19

based out of Helsinki, Finland.

02:21

Within a few days, it had also been spotted

02:24

by Trend Microsystems and Symantec.

02:27

They all classified it as one of those

02:29

new hybrid viruses,

02:30

and no, I don't mean hybrid like the car.

02:33

This worm was pretty advanced for its time.

02:36

It had its own emailer,

02:38

could randomly create IRC and AOL Instant Messenger bot accounts,

02:42

and even had the ability to update itself

02:44

by connecting to a GeoCities website.

02:47

So if the person behind it needed to fix a bug

02:50

or add a new feature,

02:51

they could easily push those changes

02:53

and all the infected machines would download the updates.

02:56

In previous episodes,

02:58

I've talked about some other worms.

03:00

like Code Red and Sequel Slammer. When those were released, they were pretty static, meaning once

03:05

an antivirus rule was created to catch them, that was pretty much the end of the story. They'd be

03:10

stopped in their tracks. But with Fizzer, the game changed. The person behind it could actually

03:17

update the worm. So once antivirus companies released rules to detect it, the malicious actor

03:23

could tweak the worm's signature and push out an update, hoping to stay ahead of the infected

03:27

user's computers before they even knew what was happening. Speaking of antivirus, Fizzer also had

03:34

another trick up its sleeve. It disabled local antivirus software. So even if you had protection

03:40

and the latest rules in place, it didn't matter if your antivirus software was turned off.

03:46

And to make matters worse, it installed a keylogger. Now a keylogger records every keystroke you type on

03:53

your keyboard. Depending on how long you've been online, you might remember some banking or government

03:59

websites.

03:59

Fizzer, Fizzer, Fizzer, Fizzer, Fizzer, Fizzer, Fizzer, Fizzer. For the first time, you can see it.

03:59

Thank you.

04:00

making you use an on-screen software keyboard where you'd click to enter your username and

04:05

password. That was an attempt to protect users from keyloggers by avoiding physical keyboards.

04:11

It was mostly ineffective, which is why you don't see it around much anymore.

04:16

But back to Fizzer's keylogger. It saved all the keystrokes to a file called

04:23

iservc.klg inside the Windows folder. Later on, the malicious actor would retrieve that file

04:30

and run filters on the data, searching for patterns like username and password combinations,

04:36

along with credit card numbers. Compared to worms that came before it,

04:40

Fizzer was operating on a whole different level.

04:45

Let's dive into some of these specifics. When F-Secure first discovered Fizzer on May 8th,

04:50

it was spreading through the Kaza file-sharing network in Asia.

04:54

And this is what fascinates me about the worm. It found such a clever way to spread.

05:00

Peer-to-peer file sharing is pretty much exactly what it sounds like.

05:03

You, as a peer, use software to share files and other peers, whether it's me or someone else or

05:10

even the NSA, can download those files. So one person shares a file and other people can download

05:17

it. Once they download it, those people also become a source for the file. Instead of just

05:22

one peer having the file, now 10 different people might have it. It spreads the load and the bandwidth

05:28

so that no one person is bogged down. It's a brilliant, legitimate way to share and spread

05:33

information quickly. If you've ever downloaded a torrent, it works on a similar concept.

05:38

So what Fizzer did was locate the Kaza shared folder on an infected computer

05:43

and copy itself there, giving the file random names. Like I mentioned earlier, you might see

05:49

something like metallica-enterthesandman.mp3.exe. Anyone who downloaded that file and executed

05:57

it was now infected with a worm.

06:00

Many Americans use programs like Kaza to download music.

06:04

And you can imagine just how quickly that spread. It's like a spider web expanding,

06:09

with the file becoming available for download to anyone using Kaza.

06:13

And Fizzer wasn't just creating chaos in Asia, it went global.

06:17

People from the US to Europe were all getting infected.

06:20

Now keep in mind, back then, bandwidth was in pretty short supply.

06:25

Honestly, with my local ISP and their data caps, it feels like they want me to still believe it is.

06:31

But I digress.

06:33

At the time, limited bandwidth meant these malicious actors were essentially crowdsourcing bandwidth

06:38

from infected users, getting them to spread the worm for them.

06:42

I think that's just incredibly creative. Terrifying. But creative.

06:48

And it wasn't just Kaza. Fizzer also exploited Windows network shares.

06:53

You know, those shared folders in corporate environments that had pretty terrible security

06:58

back then. And let's be honest.

07:00

they often still do. If a machine was infected and it had access to a shared folder on your network,

07:06

Fizzer could spread through that too. It didn't care who you were, whether you were a home user

07:12

downloading songs or a corporate employee, Fizzer was coming for you. Once you were infected, it

07:19

didn't stop there. Besides spreading itself through your Kaza shared folder, Fizzer would also email

07:24

itself to everyone in your Outlook address book. Sound familiar to anyone? And it didn't just use

07:31

your name as the sender, it spoofed the sender name, picking from a list of 200 different names

07:36

the worm had built in. The actual email address it used was generated randomly and often came from

07:42

domains like hotmail.com, AOL, and a few others. Fizzer also got a little crafty with the email

07:51

subjects to entice people to click. While the body of the email was always in English,

07:56

the subject line appeared in three languages, English, French,

08:00

and German. Here are a few of the subjects I found particularly interesting.

08:05

Damn it feels good to be a gangsta. Yo what's up B. Please discard if you don't like or agree

08:14

with our present leadership. See you tomorrow. I wonder what can be so bad that it makes you

08:20

want to die. Check this out dot dot dot he he he. You need to lose weight. That last one

08:29

is particularly straightforward. As far as social engineering goes some of the email subjects

08:35

Fizzer used were pretty awful but others they were actually pretty catchy and I can see how people

08:41

would have been tempted to click them. Similar to the sender name the body was also picked from a

08:47

predefined list the worm had. Some examples are watching the game having a bud. There is only one

08:55

good knowledge and one evil ignorance.

09:00

you don't have to if you don't want to. So now that your infected machine has sent the worm to

09:06

all your friends, family, and co-workers, let's talk about what happens next. First off, that

09:12

keylogger I mentioned earlier is now actively monitoring everything you type. Fizzer also

09:18

creates a backdoor for AOL Instant Messenger, also known as AIM. The worm connects to an AIM

09:24

server with a random username creating a bot. The person controlling the worm could then establish

09:31

a connection to that bot and start controlling your machine remotely by sending commands through

09:36

the chat. And just in case the AIM backdoor wasn't working, Fizzer had a backup plan. It also created

09:43

an IRC backdoor. IRC, which stands for Internet Relay Chat, is kind of like AIM in that it lets

09:50

people chat. But IRC is decentralized and has actually been around a lot longer,

09:55

about a decade before AIM even existed. And while AIM is long gone,

10:00

IRC is still around. And as if that wasn't enough, Fizzer also listened on four additional ports.

10:07

Port 2018, the command port, was used for sending and receiving commands. 2019, file port, was used

10:16

for sending and receiving files. 2020, console port, allowed remote control of the system.

10:23

And port 2021, video port, was used for capturing video and sending it out.

10:30

And to top it all off, Fizzer could even start an HTTP web server on port 81,

10:35

giving the attacker even more access to your infected computer.

10:40

Now I know we're talking about a worm, something malicious that caused damage and infected users,

10:45

but you've got to admit, that's a pretty robust piece of software. I've worked at quite a few

10:51

tech companies over the years, and let me tell you, a lot of modern day applications don't even

10:56

come close to that level of redundancy.

10:58

Thank you.

11:00

At this point, Fizzer has sunk its claws deep into your system.

11:04

You are at its mercy.

11:06

And while it's in there, it kills off a list of processes associated with antivirus programs.

11:11

So that fancy software you bought and paid for?

11:14

Yeah, completely useless now.

11:16

But Fizzer didn't just stop at disabling your antivirus.

11:20

Parts of the Worms code were actually encrypted,

11:22

which made it even harder for antivirus programs to detect it in the first place.

11:27

It was like trying to find a needle in a haystack.

11:30

Except the needle was hiding behind a locking key.

11:33

But now that I think about it,

11:35

a needle in a haystack with a lock would actually be a lot easier to find.

11:39

So maybe this isn't the best analogy.

11:41

So instead, it would be like trying to find half a needle in a haystack.

11:46

So now the Worm is fully in.

11:48

It's installed.

11:49

It's persistent.

11:50

It's always running.

11:51

The malicious actor has guaranteed access.

11:53

Your antivirus is down for the count.

11:55

And if there's any issues with the Worm itself, no worries.

11:59

It can auto-

12:00

update in the background to make sure it's always running the latest version. Remember how I

12:05

mentioned earlier that these updates were downloaded from a GeoCities website? For those who don't

12:10

recall, GeoCities was one of those old school web hosting services back in the day. It was like the

12:16

MySpace of websites, everyone had one. So the malicious actor would just upload the update to

12:22

a GeoCities webpage, and all the infected machines would check in and grab the latest version.

12:28

Now despite all this, the actual damage caused by Fizzer was never fully quantified in terms of

12:33

dollars. While the worm had the ability to launch DDoS attacks, I couldn't find any references to

12:39

any actual documented attacks. It seems the main damage was financial, with people's credentials

12:45

and personal information being easily stolen. Fizzer was definitely in a league of its own,

12:51

and the methods it used for persistence are still widely used in malware today.

12:56

And although the creator of Fizzer is still a mystery, there were

13:00

definitely efforts to track them down. Law enforcement agencies and cybersecurity companies

13:04

were racing to figure out who was behind it. But it was a different time, and tracking down

13:09

malware authors wasn't nearly as advanced as it is today. Though, even now, many still remain a

13:16

mystery. The moral of the story? Always check the extension of those music files you download.

13:22

Make sure it's mp3 and not exe.

13:27

In the Shell is written, researched, and recorded by me, the Sniffer of Packets. If you made it this

13:34

far, you either couldn't find the pause button, or you enjoyed the episode. If it's the latter,

13:39

then I have a small request. Please click the share button wherever you're listening,

13:43

and send this episode to someone you think would enjoy it. I would truly appreciate it.

13:50

That's it. Take care, and I'll see you next time.