U27745%UICVM.BITNET@VMA.CC.CMU.EDU (07/22/89)
At the time of the CHRISTMA EXEC I was a student mainframe consultant. and I don't recall BITNET being crippled by this program. 2 copies of the program were sent to my reader and i just ignored them. Later when I had the time to look at them I went to my reader and Voila, they were gone! I asked my boss what happened to the files. He ran a program that went thru the system and removed all copies of the program from every one's reader and minidisk. He took this a bit further by having RSCS ( VM's communication server ) purge all files going though our node named CHRISTMA EXEC. I've heard that VNET was crippled by the CHRISTMA EXEC. I've heard that IBM actually had to shut down thier RSCS servers and then purge the files from each machine. They have since done 2 things ( that I know of) to prevent future instances. First off, when one receives an EXEC from their reader the filetype is changed from EXEC to CEXE to prevent execution of the program. Secondly, it is now very hard to get files/mail into VNET. I've been trying for sometime to find a route for BITNET<->VNET and haven't been successful. (( any help with this would be greatly appreciated!! )) As a sidebar, the reason I think the 2 nets were effected differently is because these nets are used differently. On BITNET most nodes are primarily used for 'things' other than E-Mail. So when the RSCS servers started using too much CPU time, systems people got curious and found out what was happening. IBM on the other hand uses VNET primarily for E-Mail and with 300,000+ people (my guess) using E-Mail one would expect RSCS to suck a lot of the systems resources. This made it less obvious and the longer the CHRISTMA EXEC went unchecked the harder it was going to be to eradicate. Include standard disclaimers here: A) These opinions are mine; MINE, ALL MINE!! B) I've been wrong before Bob Johnson << u27745@uicvm.uic.edu >>
CHESS@YKTVMV.BITNET (David M. Chess) (07/24/89)
While I was lucky enough to be on vacation when CHRISTMA hit VNET, my impression is that (press to the contrary), VNET handled it about like BITNET did: a few nodes shut down or cold started, but most just installed and ran some filters on RSCS and local spool. Lots of human and CPU time and net bandwidth wasted, but not a system-wide shutdown. This is just an unofficial impression, of course! As far as I know, it's no harder to get a file from BITNET to VNET now than it was before CHRISTMA; the person you want to talk to on the VNET side has to be authorized with the gateway. Exactly how an IBMer gets authorized for BITNET access varies with site/division/etc. I'm authorized, for instance, and I can be sent mail from BITNET just by sending in the normal way to CHESS at YKTVMV (let's not all try this just to be sure it works, of course! Hehe). DC IBM T. J. Watson Research Center
HALLEN@oregon.bitne (Hervey Allen, U of O Comp. Ctr., (503) 686-4394) (07/25/89)
I have been reading the discussions on VM/CMS as pertaining to viruses and
security with some interest. I was the Senior Consultant/Programmer at a
small college for a system running VM/CMS when the CHRISTMA EXEC program
was making its rounds.
There were two of us who had complete control over the machine we were work-
ing on (a 4341-2 w/1500 accounts) which made it extremely easy to spot and
eradicate the CHRISTMA EXEC. We routinely checked the number of Reader (mail)
files on our machine. We noticed an increase in files over the span of a few
hours that was unusual so we checked our RSCS spool to see if anything unusual
was happening and spotted the CHRISTMA EXEC file showing up repeatedly. We
then took a look at the CHRISTMA EXEC (which we had both received) and
realized what it was doing. At this point we wrote a few lines of code to
search for all occurrences of the CHRISTMA EXEC on the system (in Reader or
on disk) and to delete any that were found. We warned our users not to run
the CHRISTMA EXEC (in case we missed any) and then we periodically checked
for the EXEC over the next few days. We did not think of putting the check
directly into RSCS, which is a better idea.
The reason I bothered to write this was to make note of the possibility that
those places where people dealt directly with their machines and the operating
systems seemed to catch the CHRISTMA EXEC almost immediately, whereas on the
IBM VNET many of the machines ran systems such as PROFS that separate the
users from the operating system and most of the machines were maintained by
a larger number of people who had less direct control over their environ-
ments. I'm not advocating either system over the other, but, to us, it was
interesting how trivial a problem the CHRISTMA EXEC was to deal with. On
IBM's VNET, however, the offending program was not noticed until network
traffic had become so high, and system spool resources were becoming full
enough (I assume) that they were forced to shut the network down.
This begs the question as to whether or not systems that are designed to be
user friendly and administrations that are set up to keep access to data
restricted are more susceptible to viruses/worms/trojan horses. I don't
expect to answer this question, but it does seem to be a re-occurring theme
when dealing with viruses.
Hervey Allen <<Bitnet: HALLEN@OREGON.Bitnet>>
<<Internet: HALLEN@oregon.uoregon.edu>>
Student Programmer/Virus Consultant
University of Oregon Academic Computer Services
| Disclaimer: The opinions expressed here are my own and in no way reflect |
| the opinions of the University of Oregon. |