Copy Link
Add to Bookmark
Report
CIAC B-07
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin
BITNET Worm
November 5, 1990, 0800 PST Number B-7
PROBLEM: Self-replicating code (worm) on external BITNET RSCS systems
PLATFORM: IBM VM/CMS
DAMAGE: May flood the mail queue of the infected computers
IMMUNIZATION: RSCS filter program available from IBM at no cost
Critical BITNET Worm Facts
CIAC has been informed of a slow spreading worm on the external BITNET*
network that has affected IBM mainframe systems running the VM/CMS
operating system and the RSCS communications utility. Preliminary
reports indicate that this worm was first detected in late October, and
that it spread for approximately one day. The worm does not appear to
be spreading at this time, and we are aware of fewer than a dozen
systems penetrated by this worm so far. This worm is readily
identified by its characteristics and poor coding style. This bulletin
is to advise you that this worm may be released again sometime in the
future, possibly once the many coding errors that prevented a wider
spread are corrected. This bulletin is also to inform you about a
filter program available from IBM to prevent against this and similar
security threats.
CHARACTERISTICS
The worm was initially named "TERM MODULE" and consisted of a REXX
program that displayed user nicknames on the user's screen. It was
apparently modified to additionally perform the following functions:
a. It attempts to copy itself to all users listed in the NAMES file of
the user executing the code. Due to programming errors, this will be
effective for only about 50% of the user names.
b. It sends a copy of the "ALL NOTEBOOK" back to the user. This is
not necessarily harmful, but may fill up spool space on the affected
machine.
DETECTION
The worm is easily identified when it is run by displaying a
"pretty-printed" copy of the names file to the user's display
terminal. (There is an IBM function designed to print a copy of a
user's names file in a more easily readable format, a "pretty-printed"
format.) Since the IBM TERM command does not include this
functionality, this will be an easily identified anomaly. In addition,
it must be EXECUTED by the user in order to replicate, specifically,
the user must must receive the worm file from the reader application
and then either type the command "EXEC TERM" or accidently execute the
code from the CP TERMINAL command.
COUNTERMEASURES
Sites running VM/CMS should install and use the RSCS filter program
(available free from IBM). This filter program is called the selective
file filter, and was announced in the IBM VM Software Newsletter (WSC
Flash 9013). Contact your local IBM representative for details. This
program can scan for file names or file types, then place them into the
punch queue for later identification and analysis. As a minimum level
of protection, all files with the name and type of "TERM MODULE"
should be examined prior to receipt by the user. Sites which do not
routinely transmit compiled REXX code may wish to wildcard the filename
and scan for all files with a filetype of MODULE. This may help to
protect against future versions of the worm that might have a different
file name.
It is EXTREMELY DOUBTFUL that the worm could execute on an MVS system.
Therefore, sites running the MVS operating system should not be
affected, even if they support the REXX language. These sites,
however, may begin seeing copies of the worm (which should not execute)
if MVS users routinely receive files from affected machines.
We recommend that you also notify users that they should not receive
and execute any program without first browsing it or discussing its
operation with the sender. The VM/CMS reader is designed to prevent
problems associated with executing unfamiliar programs, and should be
used for this purpose. If you receive an unknown file with a filetype
of EXEC or MODULE, immediately contact your computer security officer
for information and assistance. Please also notify CIAC, as we wish to
track any spread of this worm.
For additional information or assistance, please contact CIAC
Thomas A. Longstaff
(415) 423-4416 or (FTS) 543-4416
or call (415) 422-8193 or (FTS) 532-8193
send FAX messages to: (415) 423-0913 or (FTS) 543-0913
___
* BITNET is a communications network among universities and industries
around the world.
Jim Molini of Computer Sciences Corporation supplied much of the
information contained in this bulletin. Neither the United States
Government nor the University of California nor any of their employees,
makes any warranty, expressed or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California. The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.
