Malware on AS/400 IFS - HelpSystems

3 Ways Malware Can Reach Your IFS

Even experienced IBM i admins sometimes question whether malware protection is necessary for this platform. It's true that IBM i (AS/400, iSeries) can't be infected by a PC virus. But anti-malware software is necessary to prevent the IFS from acting as a host and delivery mechanism for viruses and malware, and to prevent viruses from indirectly affecting IBM i operations. 

If the integrated file system (IFS) is used as a file server for PC files, the files stored on the IFS have the potential to carry viruses. An infected file that is saved from a PC to the IFS and then redistributed to another PC can transmit a virus to the new PC.

Let's examine three specific ways viruses and malware can get onto the IFS.

Mapped Drives

One way a virus can be spread to the IBM i is through mapped drives. A mapped drive is an easy way of storing or sharing PC files on the IBM i.

In Windows, the typical way to map a drive is to use Windows explorer, choose Tools, then select Map Network Drive. For administrative purposes, some users share the entire file system, commonly referred to as root.

Once IBM i is mapped, it can be accessed through browsing and shows up as just another network drive on the PC. Users can easily save files to the IBM i using the Save As function. Once a drive is mapped, if that PC becomes infected the virus can spread to the IBM i: any file on a mapped drive is visible to the virus. 

A virus can also map a drive without your knowledge using the Windows NET USE command in a script. A virus can copy a text file to the mapped IBM i drive and overwrite the client access setup.exe file. Viruses can change files for the purposes of spreading to other computers, and once they are read by other computers they can be launched automatically without the user’s knowledge. For example, there have been numerous viruses that alter jpeg files, and then when a user with Internet Explorer views a page with that altered jpeg file on it, the PC becomes infected and the virus has spread to a new host.

What do most IBM i shops get wrong about the IFS? Watch the webinar >

Image Catalogs

Image catalogs, NFS mounts, and UDFS mounts are yet another way viruses can spread between servers. An image catalog is basically a file that appears to another system as a CD, and is often used for loading software. IBM i uses image catalogs to load Linux on a partition. Viruses that have infected a file in the image catalog or virtual drive will be loadable by any remote server that uses them.

Client Access

Client Access has been another source of virus outbreaks. We had a customer contact us about a problem they were having with viruses on their network that kept reinfecting their PCs, despite all of their cleanup efforts.

To make a long story short, the PCs were all running Client Access (which we all do), and the setup.exe file for Client Access, which is located on the IFS, was infected. Each time the PC’s ran an automatic update, which was every day, it would run the setup.exe file on the IFS and start the virus infection all over again.

Are Windows Viruses a Threat?

There is often confusion around whether Windows viruses can affect IBM i—meaning impact IBM i performance. Here's the deal:

  1. Viruses cannot hide inside RPG and CL programs
  2. Viruses cannot hide inside Physical and Logical files
  3. IBM i cannot run .exe files that contain viruses
  4. IBM i can run Java and UNIX executables that contain viruses
  5. Viruses can hide inside Java and UNIX stream files

Windows viruses can affect IBM i, for example:

A DOS command could be issued to "delete all" from a directory, which is mapped to the IBM i. IBM i libraries will appear as a directory to a malicious program or virus running on the PC. The DEL *.* command could be used to delete all objects in an IBM i library, rendering the system useless.

Viruses can use the Client Access ODBC or JDBC driver running on a PC to execute commands through SQL statements. An example could be an Excel spreadsheet with a SQL command, which sends a clear lib QUSRSYS command. At a minimum it would destroy everything the current user owns. If it was running under an administrator’s profile the virus would have enough authority to destroy the operating system.

Final Thoughts

While viruses and malware might not infect IBM i in the traditional sense, these malicious programs can have a devastating impact that includes entire days or weeks of downtime. If your organization is required to comply with mandates like PCI DSS, malware protection is required. Even if you're not affected by a government or industry requirement, consider whether the risk is worthwhile. Getting started with virus protection on IBM i (and AIX and Linux) is simple, and it begins with a free scan to identify any threats that are already on your system. Request your free scan today to begin protecting your mission-critical servers.

Scan your server. Avoid an epidemic.

Request your free virus scan to see how easy it is to protect IBM i, AIX, and Linux from malicious programs.