Groundhog Day For Malware

May 11, 2022 Steve Pitcher

Say it with me: IBM i is NOT immune to malware.

A couple of years ago, I wrote a piece called The Real Effects of Malware on IBM i. I thought it laid out a pretty fun, yet frighteningly serious, story of having an argument with a gentleman on Facebook regarding what’s IBM i fact vs fiction regarding malware and how myself and my iTech Solutions colleague Nathan Williams proved it out with some homemade malware and hosed a test system in the process. It really just says everything it needs to.

So a few weeks ago I’m on Facebook again having the same argument with other people.

I’ll not besmirch the original poster’s name in this newsletter article. I just want to highlight his content of the conversation so I can add a few formal rebuttals after I’ve had some additional time to ponder. I’ve cleaned it up a little for the benefit of the readers.

“The IFS just like a UNIX or Windows file system is susceptible to viruses, the i/OS is NOT.”

Okay, this comment is pretty much false information. First, the IFS is called the Integrated File System because it’s exactly that. It literally contains ALL TEN IBM i file systems! Here they all are for good measure:

Integrated File System

1. Root File System
2. QOpenSys
3. LIB
4. IASP QSYS.LIB
5. QDLS
6. QOPT
7. 400
8. UDFS
9. NFS
10. QNTC

It starts with the Root file system of course.

Every other file system is underneath the root directory. Contained in various places within those file systems is the IBM i operating system. If you expose these file systems through SMB file shares via IBM NetServer, then they are 110 percent susceptible to malware.

“No, the IBM OS is NOT susceptible to Malware and PC Viruses. . . . IFS files are, of course, because they are just PC files anyway, but the architecture of the IBM i and its objects are not going to be attacked by viruses . . . in my 38 years of IBM midrange, including IBM Rochester support, sorry, you are wrong.”

Again, there’s a fundamental misunderstanding of what exactly the IFS actually is, and what is or isn’t susceptible to malware. And once someone pulls out the years of experience as a reason to accept their argument as gospel, then they’ve lost any leg to stand on. It’s a whopping non sequitur. If someone has 50 years in mathematics and tries to justify their belief that 2×2 = 17, then they haven’t got much actual evidence if the experience is their only argument.

Another gentleman said the following:

“The analogy which you use is the same as politicians do – scare an ordinary person because they are not educated in a particular area.”

Well, just because someone doesn’t like something doesn’t mean it’s not true. And I resent the politician comment.

Back to the original poster.

“If your system isn’t set up by a 2-year-old with no security, any system is open to hacking. . . but most people working in IT know how to secure their system in the very basic way. . . at least lock the door. . . .”

Well, I’m not going to denigrate anyone by saying if someone got breached then they set their system up like an infant. That’s just rude. And inaccurate. And completely unsympathetic to our fellow IT workers. People make mistakes. People may only have a PTF window to patch holes once a year. IT professionals inherit systems they may not know much about, and those systems have vulnerabilities they’re just not aware of. They’re playing catch up. As well, we’re all the victims of budgetary restrictions from time to time. If someone needs to secure their system but can’t get management buy-in for a security effort . . . well that’s unfortunate, but it’s not their fault.

Any system is open to having its vulnerabilities exploited, especially if steps are not taken to mitigate them.

But here’s the gist . . . many systems are not secured even in a very basic way. The AS/400 was designed as a system for business people, and it is not shipped secured. Implementing proper security is now an afterthought 33 years later for many. Unless it’s located in a financial institution or a heavily regulated industry, then more often than not it’s a soft target. There are exceptions to the rule, of course. Some shops really do a great job, but they are in the few and proud minority. I can give you two examples of penetration tests (from outside the firewalls no less) where I’ve exploited system security and elevated my authority. Once in 16 minutes and once in eight. IBM i community surveys and hard data from thousands of systems show that our community has a massive *ALLOBJ special authority problem. Default passwords galore. Password level 0 is the weakest and most common. Pair those with rampant shares of the root directory or people even using QSECOFR credentials to mount users to root directory shares and you have a perfect storm once an organization gets hit with malware.

So yes, I’ll agree with “at least lock the door.” People are getting there. They’re getting the message and doing something about it.

What those who haven’t heard the message actually need are cold, hard facts . . . and not misinformation to foster a false sense of security.

Steve Pitcher has been involved with IBM i since 2001 primarily in the manufacturing and distribution industries as a systems administrator, developer, IT manager, and IT director. He joined iTech Solutions as an account manager in 2017 in a combined sales/technical role, bringing additional expertise in security, IBM Lotus Domino, and WebSphere.

This content is sponsored by iTech Solutions.