PYM@QUCDNSUR.BITNET (Dr John Pym [Cardiothoracic Surgery]) (12/28/87)
Compliments of the Season to the net. By now, many of you will have heard of the (infamous) CHRISTMA EXEC "virus" which infected BITNET/EARN/NETNORTH and virtually paralyzed IBM's internal network for a day or two. For those who haven't seen the various postings on the BITNET LINKFAIL list, RISKS-FORUM Digest, etc., I will summarize (no flames for the oversimplifications in the interest of brevity, please). Originating as a "prank" on a German end-node on EARN, this EXEC (i.e. similar to a .COM file - and written in REXX, a DCL-like language) displayed, when executed on an IBM VM system, a primitive christmas tree on the terminal and then mailed itself to everyone on that poor user's NAMES file (i.e. personal mailing name list) before deleting itself. Of course, some users had network distribution lists (e.g. JNET-L, MEDINF-L, etc.) defined in their NAMES file . . . [I personally received six copies of this EXEC from different sources - this is probably not unusual.] While this was a significant problem on BITNET/EARN/NETNORTH with a fair number of VM/CMS nodes, the virus clearly could not infect VAXinated nodes, of which there are a larger number. Also, many (usually undergraduate) students on VM/CMS systems are denied network access, thus limiting the rate of spread of the virus beyond an infected system. However, once the virus entered VNET, IBM's internal network of VM/CMS systems, things really took off (all VM/CMS systems; users with large NAMES files; all with network access) and allegedly brought their network to a standstill. Initially, the problem required manual intervention by system managers to purge CHRISTMA EXECs from users' readers - but this could only give a temporary remission in the disease. Fortunately, a CHRISTMA eradicator was written (by Eric Thomas, author of the LISTSERV software), and also an ingenious virus was developed (by Hank ?, sorry, I've forgotten) to follow and destroy the original CHRISTMA virus and then self-destruct in mid-January. So now it's eradicated like smallpox: hmmm . . . I expect that there may be another minor epidemic when some users return from vacation. So, what should we do? Laugh at IBM? Say "It can't happen to me." Look at all those experienced, computer-wise IBMers who ran CHRISTMA EXEC. Oh yes, there will be flames . . . platitudes about NEVER using any software which you haven't written yourself - or is written by someone you TRUST ABSOLUTELY :-) . . . flames about chain letters and viruses on the network . . . their authors should be boiled in oil / set in RA81 air filter glue / sentenced to do 10 years of RSX SYSGENs / locked in a room with only an IBM PC / (substitute your favourite nightmare here). Let's just think a little before flaming. Could a "harmless" CHRISTMA-like virus attack a VAX/VMS system? A recent network posting (RISKS?, LINKFAIL?) mentioned the possibility of a virus hidden in SHAR files which are _executed_ as .COM files to unpack them. SHAR files are, after all, an excellent method for _reliable_ software distribution over gateways. (This is not meant to reflect negatively on Michael Bednarek in any way - VMSHAR is a great contribution and we all have used it or will use it.) But . . . nobody unpacks one of these distributions with PRIVs turned on, do we? Could such a virus, like CHRISTMA EXEC, replicate from a non-privileged account (apart from doing a SET PROC/PRIV=ALL quietly in the middle of the file)? Certainly, VMS Mail won't allow wildcard SEND (and JNET won't allow a wildcard SEND/FILE), but, for example, a .COM file could do a SHOW LOGICAL/OUTPUT=CRACKER.TMP, look for logicals with syntax "jnet%", "BITNET%", "IN%", etc. and try mailing itself to these addresses. (No flames about giving state secrets to the enemy, please. Blind Freddy could have seen that one.) We may not be able to read a SHAR file in its entirety (looking for a virus in a few thousand blocks of code), but I for one am certainly going to "quarantine" it as far as possible, SEARCHing it for more than a few key words before unpacking it from a non-privileged (either default or authorized) account. Further suggestions from the more devious minds on the list would be welcome, please. Ignorance may be bliss, but it is definitely NOT SAFE. Most if not all of us have public domain software running on our systems - or programs written by students and our colleagues (trustworthy, of course :-} ). How many VAX/VMS systems do _not_ use at least one piece of DECUS software? This PD software, even if not essential, makes life easier and/or saves hours of work. Software exchange isn't going to stop now, nor should it. We must be vigilant, both for our own safety, and as a responsibility to colleagues on the network. We must make all reasonable efforts to check before executing software ourselves or posting it to the net - or making it available for FTP or putting it on a BITNET LISTSERV. CHRISTMA EXEC comes but once a year, but a virus can be forever. Comments from the Info-VAX gurus would be appreciated. What are the guidelines for "safe software exchange"? What are the best methods of checking software for viral contamination, granted that we are going to continue to exchange it? John Pym BITNET: PYM@QUCDNSUR Real life: Dr. John Pym (POSTMASTER@QUCDNSUR) Department of Surgery Telephone (613)549-3898 - office Queen's University (613)548-4879 - home Kingston. Ontario (613)541-7792 - cellular CANADA. K7L 2V6 Chairman, THISLUG (DECUS Thousand Islands LUG)