When Malware Attacks Your IBM i, AIX, and Linux Servers

Dear employees,

Unfortunately, our servers were attacked by malicious software that held us hostage for ransom about two
months ago. We paid the ransom, but IT has been unable to bring our systems back online. After we were hit
with this terrible virus, we had no way of processing funds or sending statements to our customers. Despite our
best efforts to keep the business running, we have no choice but to suspend operations indefinitely.

This is essentially the message a CEO was forced to send employees after its servers were hit with ransomware. The entire company—an IBM i shop—shut down, leaving more than 300 people without a job.

Cybercriminals have found organizations more profitable than individuals in recent years. Throughout 2023, cities like Dallas and Oakland made headlines with crippling malware infections. These attacks are no anomaly—IBM’s latest Cost of a Data Breach Report revealed that 83% of organizations reported having more than one data breach in 2022.

Though law enforcement agencies advise against paying the ransom, many businesses do out of desperation. But paying the ransom is no guarantee that access to systems and data will be restored. Many cybercriminals don’t have the key needed to decrypt the data or have simply deleted everything.

Power systems servers running IBM i, AIX, and Linux are not immune. As in the earlier example that left hundreds jobless, ransomware attacks can bring critical business operations to a halt.

Imagine what would happen if you unplugged your server running IBM i, AIX, or Linux. If disrupting day-to-day operations would cause problems, it’s time to look for ways to avoid unplanned downtime and the loss of critical systems and data.

A robust malware defense could save a company millions of dollars in lost productivity, breach investigations and remediation, negative publicity, lost customers, and lawsuits. This guide is your primer on protecting your servers from viruses and other forms of malware.

Malware has been around for decades, and businesses know they need to protect PCs from these malicious programs. But many organizations don’t realize that server-level malware protection is equally important.

Anti-malware software for your IBM i, AIX, and Linux servers won’t replace your PC software. It’s another layer of protection— and one that’s critically important but too often overlooked.

“A company had cleaned up from a ransomware attack. Five years after the recovery, they scanned their IBM i and found that the ransomware was still present in the IFS and the files had been accessed recently,” says Amy Williams, Senior Security Consultant, Fortra.

Linux servers have also been targeted.

Mike Davison, a Senior Technical Consultant at Fortra, has found that “Linux servers are hosting a substantial number of critical applications in the data center. Attackers target them because they know the infection will spread to all the users who access those servers."

In this guide, we’ll examine the real-world consequences of malware attacks on servers and investigate why PC anti-malware programs fall short for IBM i, AIX, and Linux. We’ll also identify your alternatives, with tips for implementing a robust malware protection solution.

By definition, malware is any software intended to damage or disable computers or computer system. When the damage occurs on a server that runs mission-critical applications, the effects can spread quickly.

When ransomware struck the city of Dallas in May of 2023, it brought many of the city’s operations to a griding halt. According to American City and County, “The cyberattack shut down municipal courts, library computers, online payments, and restricted record keeping. It delayed services, caused some departments to suspend normal operations, and forced emergency dispatchers to take down information by hand and share it via radio.”

Server-level virus scanning helps you avoid these outcomes.

Protecting work stations is an important part of your malware defense, but there are many ways relying solely on PC software leaves your systems vulnerable. Here are some situations where PC-based malware scanning won’t protect servers:

1. Outdated Software and Software That’s Not Running

Every time new viruses or malware come out, software companies need to get a copy of the program to define it. Those definitions are what enable malware scan engines to detect the malicious programs. Undefined malware can make its way onto the system undetected.

Once the virus or malware is in your system, the damage begins.

“Some viruses morph to stay ahead of the antivirus program. A virus that has changed during the time it’s been on a system won’t be detected with the original virus definition,” explains Sandi Moore, Lead Solutions Engineer, Fortra. Moore has spent more than a decade helping businesses in a variety of industries protect their IT assets from malware.

Without the latest updates, your anti-malware software won’t know what new threats exist and it won’t be able to protect your system.

And if a PC user stops the software from running, you have no protection. This might sound far-fetched, but users are a variable you can’t control. Some might accidentally shut off malware and virus scanning. Or someone from your Help Desk may intentionally shut it off while troubleshooting a problem and forget to re-enable it.

No matter what the reason is, the result is the same: no malware protection for that machine. Without server-level protection, your organization is in danger.

2. VPN Connections

Employees working remotely often use VPN to connect their personal devices to your network. Depending on the VPN software you use, you may have no control over whether these computers are running antivirus or anti-malware software, or if they are, whether the software is up to date. If the devices your employees use have no malware protection, outdated protection, or the software isn’t running, a virus could find its way onto your network.

3. Work Stations Aren’t the Only Source of Viruses and Malware

Malware often gets onto a server when someone uploads an infected document to a directory. But that’s not the only way it happens.

Many companies use EDI (electronic data interchange) for e-commerce. They take in orders by receiving a file into a directory via FTP. But when the FTP server sending the files has no antivirus software running, there's no way to catch an infected file prior to being written to the directory.

If you’re using FTP to transfer files in from a trading partner, your system is at risk if the originating server lacks malware protection. This is true even if your work stations have a robust scanning mechanism in place.

4. Using Pc Software to Scan a Server Requires a Dangerously High Level Of Access

Here’s the situation: you’re using a laptop with anti-malware protection and you want to use it to scan a server. You map your drive to the server and you have a list of all the folders you want to scan from the PC. The problem is that the scanning software still lives on the PC—not the server. But because the data resides on the server, it must be transferred to the PC to be scanned. This method produces numerous security exposures and puts data at risk.

This process also causes significant network traffic— especially if the directory contains thousands of files, as is the case in many organizations.

Data is being sent over the network in the clear, giving the opportunity for someone to “sniff” or read the data as it’s being passed between the server and the PC. Running scans from a PC against a server often results in false-positives, as the PC-based software doesn’t understand the nuances of files created on server-based operating systems.

To enable the scan, a share must be defined for the directory on the server—most often a share to the root directory to enable the entire server to be scanned. This share itself opens a vulnerability. Others can map a drive using this share, opening further opportunities for malware to infect the server.

Finally, to be able to scan all files and to be able to quarantine and/or fix issues, the user mapping the drive to the server must be a powerful user—one that has authority to every directory to be traversed and every file to be scanned.

If the powerful user perpetually leaves their PC mapped to the server, and access to the user’s PC is not secured, this connection can be used to gain access to data as well as download, destroy, or replace files and executables, not to mention be a means by which malware can infect the server.

“When you’re doing PC scanning, you need access to everything on the server in order to scan everything. Having such a high level of access from a laptop that’s not being monitored closely, or that doesn’t have up-to-date virus definitions, or that could be hacked into—well, the hackers and the viruses would have full access to your system, too,” says Moore.

“One of the worst cases I’ve ever seen was at a company using an IBM i server where someone with all object special authority (*ALLOBJ) mapped a drive to their server on Friday afternoon. On IBM i, *ALLOBJ grants the authority to manipulate nearly any object on the system. This person didn’t realize what they’d done, and left the PC up and running all weekend.”

“At some point before leaving, they opened an email with ransomware files. The malware went through the entire server—the IFS on their IBM i—and it encrypted over 500,000 files. Because of this, their regular end-of-day activities were halted. That’s how the attack was finally discovered the following week.”

The malware affected the entire system and it took nearly a month to restore everything from backups.”

Image

This screenshot shows the result of the client's initial virus scan.

Scanning your servers with PC software is a security concern for every operating system. Native malware scanning eliminates these risks by using software that’s built specifically for the operating system you’re looking to protect.

Scanning a server from a work station creates a security risk because of the vulnerabilities associated with mapping a drive to the PC. Native scanning eliminates the need for a mapped drive, and it carries other advantages.

Security: Native scanning doesn’t require a PC or a mapped drive connected to the root folder with unlimited authority and no data is transferred over the network unencrypted.

Reliability: Native scanning utilizes any virus scanning support built into the OS, such as IBM i’s antivirus exit points and system values. The process is fully automated and files can be scanned easily, with all detected threats removed promptly.

Stability: Lost connections, pop-up warning messages, and lost power can all cause a PC-based scan to stop. Native solutions eliminate this issue.

Performance: Native scanning is faster than PC scanning because the native program knows what scan attributes to use for all files on the system. Native programs don’t increase your network load, don’t reset a file’s “last access time,” and allow for more frequent scanning.

“It doesn’t matter what platform you’re scanning. You need to be using software that’s built for that operating system. That’s what native scanning is,” says Moore.

According to the conventional wisdom, malware scanning isn’t necessary for AIX and Linux because there aren’t many malicious programs that affect those operating systems. But this isn’t true and IT professionals are beginning to realize it.

“If your AIX and Linux servers are vulnerable, then the websites and services that these systems provide are also vulnerable. People who utilize these services can become infected from— or transfer their prior infection into—your data center. Attackers are exploiting any vulnerability they can to compromise and commander data center resources,” says Davison.

For years, many IT professionals weren’t scanning IBM i servers at all because they believed the myth that IBM i is immune to viruses.

It’s true that the OS cannot be infected by a PC virus, but IBM i’s IFS can facilitate the spread of malware.

If the IFS on the operating system is used as a file server for PC files, the files stored on the IFS may carry viruses. An infected file that is moved or saved from a PC to the IFS and then redistributed to another PC can transmit a virus to the new PC.

Moore explains, “With malware, IBM i is comparable to Typhoid Mary. Your IBM i server might not be affected by the malicious program, but it can act as a host and deliver mechanism, spreading the malware to the rest of your network.”

Your IBM i server might not be affected by the malicious program, but it can act as a host and deliver mechanism, spreading the malware to the rest of your network.”

It’s understandable to believe your system is safe if you’re not using the IFS. Amy Williams has heard this before.

“The IBM i operating system itself lives in the IFS, which means every IBM i is reliant on the IFS,” Williams says.

The malware threat to these servers is real and the damage can be devastating, especially considering IBM i, AIX, and Linux are often used in industries that value reliability, such as finance, retail, and healthcare.

Recently, the healthcare industry has become a common target for ransomware. Giving healthcare providers timely access to patient data is essential to delivering quality care. The attackers know this and believe hospitals are more likely to pay the ransom to restore access to data.

The Fortra Security Services team worked with a healthcare organization after it was hit by two different malware attacks in one week.

The first one targeted and renamed directories; the second was ransomware. In the process of resolving the first attack, the company stopped sharing root. Fortunately, this reduced the data that was encrypted to just the PC of the user who opened the infected attachment.

There are three things every IBM i systems administrator should do to prevent malware from spreading throughout the system:

1. Do not share root. Sharing root shares not just the IFS but also /QSYS.LIB (all the libraries on the system). If root must be shared, reduce it to a read-only share.
2. Reduce the *PUBLIC authority of the root directory. Change the default of DTAAUT(*RWX) OBJAUT(*ALL) to DTAAUT(*RX) OBJAUT(*NONE). This is the equivalent of changing *PUBLIC(*ALL) to *PUBLIC(*USE).
3. Run native antivirus software on all servers and keep the scan engine and virus signatures up to date

No matter what server you’re using, regularly identify vulnerabilities and ensure the server is securely configured.

“By turning off services and network ports your applications you don’t need, you minimize your attack surface and give threat actors fewer places to reach you. This reduces your vulnerability even before you run a virus scan,” says Davison.

There’s still a perception that viruses don’t exist in the IBM i, AIX, and Linux environments. While they may not be the most common targets, threat actors are now indiscriminately sending self-spreading infections to see how far and wide the net will stretch. Any device lacking protection may be infected or impacted. And many organizations have experienced the consequences: malware can have a devastating effect on IBM i, AIX, and Linux servers.

If you’re responsible for protecting these environments, scanning for malware needs to be part of your cybersecurity plan—especially if you’re covered by a compliance mandate that requires it, such as PCI DSS or HIPAA.

Here’s how you can best protect your mission-critical servers: 

• Make sure you’re using anti-malware software that runs natively on the OS
• Update virus definitions daily
• Implement on-access scanning
• Schedule weekly full-system scans
• Schedule daily scans over directories with sensitive data
• Scheduling can be done via cron tab (for AIX and Linux) or third-party software
• Review logs for scan results

If you’re not already scanning your IBM i, AIX, and Linux servers, now is the time to start.

Recovering from a malware attack is expensive and difficult (and sometimes impossible!), but protecting your system is very simple. To see for yourself, start with a free virus scan from Fortra. We’ll guide you through the process, and any viruses on your server will be detected and removed.