Something Wicked This Way Comes

A 2007 Outlook on Viruses and the System i

If Shakespeare were alive today, his outlook on viruses in 2007 might be "once more unto the breach, dear friends." And if this past year is any indication, he'd be right. The malware landscape won't be getting better any time soon. New threats are emerging at breakneck speed, and the potential consequences are alarming.

In terms of System i, the traditional view of the system as an impenetrable island is a recipe for disaster. In this article, I'll take a look at some trends and predictions and speculate on how they could affect you. I'll also offer advice on how to take preemptive steps to help shelter your operations from a cyber world teeming with digital germs.

I Would My Horse Had the Speed of Your Tongue

Well, at least the speed of virus propagation. It was just over two years ago, on September 20, 2004, that McAfee's AVERT Labs announced the addition of the 100,000th threat to its database. It took years of building to hit that magic number—18 years in fact. Surely, it would be some time before the next milestone was reached.

As it turns out, the wait was less than two years. On June 30, AVERT added the 200,000th threat to the database; and the outlook is bleak. They expect the 300,000th to be added before the end of 2007. Where before it took 18 years to create 100,000 threats, now we can do it in 18 months.

Vexing the Dull Ear of a Drowsy Man

By now you've heard a lot about how the traditional view of the AS/400 holds that the virus threat does not pertain to IBM's powerhouse. In days gone by, there was great reason to put faith in this belief, and still today the modern AS/400—the System i—boasts some of the strongest security out there. So why do these ever-accelerating numbers matter to System i shops?

The reality is that the virus threat does pertain to System i just as it pertains to all other platforms, from Windows to Linux to even Symbian OS. Today, System i finds itself in environments that include networks of client PCs running Windows, other servers running flavors of UNIX or Linux, and even partitions with AIX or Linux installed on the System i box itself. Workers plug a variety of devices into the network—laptops, flash drives, external hard drives, iPods—and pop CDs and DVDs into drives that can ultimately lead to System i.

Once on System i, malicious code can hide undetected until activated by a client PC. System i is a digital-age Typhoid Mary that can infect others while showing no symptoms. Repeated infection of the network by the same source file can result and can make cleanup and elimination of viruses difficult.

The call for virus protection on System i has been quietly building for years and has been a hot topic of discussion since 2003. Opinions come down strongly on both sides, some believing the threat to be real and others believing that it's much ado about nothing. But to believe the latter is to ignore the realities of today's environment. It matters not what may have been true 10 years ago or even 10 months ago. In the here and now, preemptive action is urgent and mandated not only by best practices and the need to soothe customer fears, but also by regulatory requirements. 

O, How Full of Briers Is This Working-Day World!

At the end of November, AVERT released its predictions for the top 10 security threats for 2007. Based on experience and the events of 2006, this team of expert researchers sees a more dangerous world ahead. Here are some of their predictions, along with explanations of how they might affect you.

Identity Theft and Data Loss Continue to Be a Public Issue
At the heart of today's malicious code industry is the use of malware by organized crime to steal identifying and potentially profitable data. That should be a concern to business because what could be a better source of information than the server of a financial institution, a medical facility, an educational institution, or a government agency? To a criminal, a System i box could be the proverbial goose that laid the golden egg. To execute such an attack would not necessarily require a piece of malware that runs on i5/OS. One would merely need access to a computer with a connection to System i that is capable of executing the code and the plan.

Bots will Increase
One such tool that could pose a real threat are computer programs that perform automated tasks—known as "bots." Popular in attacks and scams carried out through Internet Relay Chat (IRC) communications, AVERT predicts that bots will move away from IRC in 2007 and into less-obtrusive roles. And although not the current role of a bot, someone with knowledge of System i could potentially create one that would run on a client PC with *ALLOBJ authority and carry out a series of tasks that would capture critical information, copy it from the system, and pass it outside the organization.

Parasitic Malware Is Making a Comeback
This is another development that could change the game. We've seen a sharp decline in viruses that modify existing files in recent years, to roughly 10% of all malware. But if AVERT's prediction of a comeback turns out to be true, it could mean increased risks for mutated files sitting quietly on file servers just waiting to be activated. Because of this, it is ever more important to scan all files where they are housed, regardless of the platform.

Vulnerabilities Continue to Cause Concern
Yes, we're talking Windows, but the savvy System i administrator sees a Windows vulnerability as a potential open door to unauthorized access to other parts of the network, including System i. In 2004 and 2005 combined, Microsoft patched 62 critical vulnerabilities. As of mid-December, the number was 78 for 2006 alone. Those who move to Windows Vista may see a temporary drop in vulnerabilities affecting them as virus writers look for chinks in Microsoft's new armor, but since most businesses will not rapidly make the jump, it will likely be more of the same for organizations already drowning in a sea of patches.

Web-Based Video Becomes a Virus Carrier
AVERT anticipates that, with the popularity of communities like MySpace and YouTube, malicious code writers will achieve a high level of success using video formats to transmit viruses. Given that there is a good chance that workers are accessing these sites and videos from the office (unless proper restriction on Web access have been put into place), Web-based video could become a common and effective way for outsiders to gain access to your network, take control of client PCs, and even find their way onto System i through computers with open connections.

Increased Mobile Attacks
Less a threat to System i than to overall security, a new breed of mobile-based malware could create new challenges. In any IT environment, there is more to effective security than just software solutions, and the potential of malware to turn mobile devices into spy tools may be yet another vector to guard. One piece of spyware that AVERT reports detecting in late 2006, SymbOS/Flexispy.B, can remotely activate the microphone on a Symbian OS-based device, while still other spyware can activate the camera that comes built into most cell phones these days. Extrusion and corporate espionage may be acquiring a stealthy new tool courtesy of malware.

Other Predictions
Although there isn't space here to discuss the other four AVERT predictions, here they are: an increase in the number of password-stealing Web sites; an increase in the volume of spam, particularly image spam; adware going mainstream with commercial PUPs (Potentially Unwanted Programs); and an increase in the number of rootkits for 32-bit platforms, accompanied by an increase in the capabilities of tools to protect against and remedy the rootkit threat.

Time Will One Day End It

The eventual targeting of System i is inevitable, whether it is done in a direct manner—through code crafted specifically for i5/OS—or indirectly, through many of the ways described above. With System i at the heart of so many organizations, the rewards are too great for today's highly organized and professional crime syndicates to ignore forever. Could 2007 be the year?

For several years, there has been a growing focus on attacks against vertical sectors such as banking, healthcare, and education. Despite the insistence by some users that it is simply impossible to directly attack i5/OS and its earlier OS/400 incarnations, anything is possible. The elegance and effectiveness of such an attack lies with the skill and ingenuity of the attacker. With easy access to an operating system, brilliant coders can find weaknesses, as evidenced by the 78+ patches made to Windows over the past year.

It may be that one of the biggest obstacles to crafting an attack against System i in the past has been the specialization of the system and its high cost, which has kept it out of the hands of traditional virus writers. With the lowering of prices and the transition of virus writing from "for kicks" programmers to organized crime, the lack of easy access may be disappearing.

Of course, there is a good reason for the stability and security of i5/OS, and mere access doesn't mean that the operating system's superior design and integrity will be quickly cracked and native viruses will suddenly appear. But the ingenuity of mankind has proven time and again that when the will is there, anything is possible.

Necessity's Sharp Pinch!

Sometimes it's hard to get moving on the things we know we need to do. But with the extraordinary jump in threats that we saw in 2006, both in number and variety, and with the bleak outlook for 2007, we're at a critical point where quick and thorough action must be taken.

A good starting point is, of course, software. It is imperative to deploy anti-virus solutions on all systems and platforms in your network, including Windows, Linux, AIX, OS X, other UNIX variants, and, yes, even System i. Not only is this a best practice that provides protection at all operating system entry points, it is even part of the recommendations from the National Institute of Standards and Technology (NIST) in special publication 800-83. Page E-2 states, "NIST strongly recommends that organizations deploy antivirus software on all systems for which satisfactory antivirus software is available." Additionally, the same page also recommends "having malware and spyware protection mechanisms on various types of hosts, including workstations, servers, mobile computing devices, firewalls, e-mail servers, and remote access servers."

Beyond anti-virus software, additional measures should be taken to help militate against the threat of malicious code:

  • Increase physical security. Add monitoring capabilities to help track user activity (particularly useful in investigating and preventing unauthorized after-hours activity).
  • Restrict Internet access to essential, business-related sites.
  • Educate company staff on the ways in which viruses are transmitted and activities to be avoided.
  • Log and regularly audit activity on the system.

With aggressive and broad measures, the threat of a virus wreaking havoc on your network can be mitigated. Action is eloquence.

To Be or Not to Be

Whether the speculation herein becomes reality, only time will tell. Some things are certain: The number of new threats will grow dramatically in 2007, mobile devices will become a greater target than they were last year, and the public will remain very concerned about identity theft and will demand accountability and preventative measures from the companies with whom they do business. We have heard the chimes at midnight. Now, with these possibilities as food for thought, let's kick off 2007 with decisive action to slam the door on exposures.


This article was originally published on MC Press Online and is reproduced here for portfolio purposes.