When Malware Attacks Your IBM i, AIX, and Linux Servers

Businesses around the world are seeing an increase in malware attacks, including ransomware like CryptoLocker, Locky, and zCrypt. These attacks can result in weeks of downtime, and some of the most damaging data breaches originated with malware, including the Target breach in 2014.

A robust malware defense could save a company millions of dollars in lost productivity, breach investigations and remediation, negative publicity, lost customers, and lawsuits. This guide is your primer on protecting your servers from viruses and other forms of malware.

Malware has been around for decades, and businesses know they need to protect PCs from these malicious programs. But many organizations don’t realize that server-level malware protection is equally important.

Anti-malware software for your IBM i, AIX, and Linux servers won’t replace your PC software. It’s another layer of protection—and one that’s critically important but too often overlooked.

“One organization I worked with hadn’t scanned their server for malware in years. They didn’t see a need to do it regularly and didn’t expect a scan to uncover anything malicious,” says Robin Tatam, Director of Security Technologies, HelpSystems.

“When they finally scanned their IBM i server, they were shocked to find 248,095 files infected with CryptoWall, a highly destructive type of ransomware.”

On Linux, malware attacks increased 286 percent in 2015.

“Linux servers are hosting a substantial number of critical applications in the data center. Attackers target them because they know the infection will spread to all the users who access those servers,” Bob Erdman, Security Product Manager, HelpSystems.

In this guide, we’ll examine the real-world consequences of malware attacks on servers and investigate why PC anti-malware programs fall short for IBM i, AIX, and Linux. We’ll also identify your alternatives, with tips for implementing a robust malware protection solution.

248,095 infected files are bad, but the effects of malware on servers can get much worse. By definition, malware is any software intended to damage or disable computers or computer system. When the damage occurs on a server that runs mission-critical applications, the effects can spread quickly. At one American energy company, operations stopped after a virus hit a server, cutting many users’ access to data and causing expensive downtime.

Now imagine what would happen at your organization if someone disconnected your servers, and the data and applications your users rely on were unavailable. That’s essentially what happens with malware. The lost productivity and the scramble to restore from backups waste valuable resources. Server-level scanning helps you avoid these outcomes.

Protecting work stations is an important part of your malware defense, but there are many ways relying solely on PC software leaves your systems vulnerable. Here are some situations where PC-based malware scanning won’t protect servers:

1. Outdated software and software that’s not running

Every time new viruses or malware come out, software companies need to get a copy of the program to define it. Those definitions are what enable malware scan engines to detect the malicious programs. Undefined malware can make its way onto the system undetected.

Once the virus or malware is in your system, the damage begins.

“Some viruses morph to stay ahead of the anti-virus program. A virus that has changed during the time it’s been on a system won’t be detected with the original virus definition,” explains Sandi Moore, Senior Technical Consultant, HelpSystems. Moore has spent more than a decade helping businesses in a variety of industries protect their IT assets from malware.

Without the latest updates, your anti-malware software won’t know what new threats exist and it won’t be able to protect your system.

And if a PC user stops the software from running, you have no protection. This might sound far-fetched, but users are a variable you can’t control. Some might accidentally shut off malware and virus scanning. Or someone from your Help Desk may intentionally shut it off while troubleshooting a problem and forget to re-enable it.

No matter what the reason is, the result is the same: no malware protection for that machine. Without server-level protection, your organization is in danger.

2. VPN connections

Employees working remotely often use VPN to connect their personal devices to your network. Depending on the VPN software you use, you may have no control over whether these computers are running anti-virus or anti-malware software, or if they are, whether the software is up to date.

If the devices your employees use have no malware protection, outdated protection, or the software isn’t running, a virus could find its way onto your network.

3. Work stations aren’t the only source of viruses and malware

Malware often gets onto a server when someone uploads an infected document to a directory. But that’s not the only way it happens.

“Here’s one example. I know of a company that uses EDI [electronic data interchange] for e-commerce. They take in orders by receiving a file into a directory via FTP. But because the FTP server sending the files has no anti-virus software running, they could be receiving an infected file,” explains Carol Woodbury, VP of Global Security Services, HelpSystems.

“In this case, I strongly recommended they use some form of virus scanning software because there was no way an infected file would be caught prior to being written to the directory.”

If you’re using FTP to transfer files in from a trading partner, your system is at risk if the originating server lacks malware protection. This is true even if your work stations have a robust scanning mechanism in place.

4. Using PC software to scan a server requires a dangerously high level of access

Here’s the situation: you’re using a laptop with anti-malware protection and you want to use it to scan a server. You map your drive to the server and you have a list of all the folders you want to scan from the PC. The problem is that the scanning software still lives on the PC—not the server. But because the data resides on the server, it must be transferred to the PC to be scanned. This method produces numerous security exposures and puts data at risk.

This process causes significant network traffic—especially if the directory contains thousands of files, as is the case in many organizations.

Data is being sent over the network in the clear, giving the opportunity for someone to “sniff” or read the data as it’s being passed between the server and the PC. Running scans from a PC against a server often results in false-positives, as the PC-based software doesn’t understand the nuances of files created on server-based operating systems.

To enable the scan, a share must be defined for the directory on the server—most often a share to the root directory to enable the entire server to be scanned. This share itself opens a vulnerability. Others can map a drive using this share, opening further opportunities for malware to infect the server.

Finally, to be able to scan all files and to be able to quarantine and/or fix issues, the user mapping the drive to the server must be a powerful user—one that has authority to every directory to be traversed and every file to be scanned.

If the powerful user perpetually leaves their PC mapped to the server, and access to the user’s PC is not secured, this connection can be used to gain access to data as well as download, destroy, or replace files and executables, not to mention be a means by which malware can infect the server.

“When you’re doing PC scanning, you need access to everything on the server in order to scan everything. Having such a high level of access from a laptop that’s not being monitored closely, or that doesn’t have up-to-date virus definitions, or that could be hacked into—well, the hackers and the viruses would have full access to your system, too,” says Moore.

“One of the worst cases I’ve ever seen was at a company using an IBM i server where someone with all object special authority (*ALLOBJ) mapped a drive to their server on Friday afternoon. On IBM i, *ALLOBJ grants the authority to manipulate nearly any object on the system. This person didn’t realize what they’d done, and left the PC up and running all weekend.

“At some point before leaving, they opened an email with ransomware files. The malware went through the entire server—the IFS on their IBM i—and it encrypted over 500,000 files. Because of this, their regular end-of-day activities were halted. That’s how the attack was finally discovered the following week. The malware affected the entire system and it took nearly a month to restore everything from backups.”

Scanning your servers with PC software is a security concern on every platform. Native malware scanning eliminates these risks by using software that’s built specifically for the operating system you’re looking to protect.

Scanning a server from a work station creates a security risk because of the vulnerabilities associated with mapping a drive to the PC. Native scanning eliminates the need for a mapped drive, and it carries other advantages.

Security: Native scanning doesn’t require a PC or a mapped drive connected to the root folder with unlimited authority and no data is transferred over the network unencrypted.

Reliability: Native scanning utilizes any virus scanning support built into the OS, such as IBM i’s anti-virus exit points and system values. The process is fully automated and files can be scanned easily, with all detected threats removed promptly.

Stability: Lost connections, pop-up warning messages, and lost power can all cause a PC-based scan to stop. Native solutions eliminate this issue.

Performance: Native scanning is faster than PC scanning because the native program knows what scan attributes to use for all files on the system. Native programs don’t increase your network load, don’t reset a file’s “last access time,” and allow for more frequent scanning.

“It doesn’t matter what platform you’re scanning. You need to be using software that’s built for that operating system. That’s what native scanning is,” says Moore.

According to the conventional wisdom, malware scanning isn’t necessary for AIX and Linux because there aren’t many malicious programs that affect those operating systems. But this isn’t true and IT professionals are beginning to realize it.

“If your AIX and Linux servers are vulnerable, then the websites and services that these systems provide are also vulnerable. People who utilize these services can become infected from—or transfer their prior infection into—your data center. Attackers are exploiting any vulnerability they can to compromise and commander data center resources,” says Erdman.

For years, many IT professionals weren’t scanning IBM i servers at all because they believed the myth that IBM i is immune to viruses.

It’s true that the OS cannot be infected by a PC virus, but IBM i’s IFS can facilitate the spread of malware.

If the IFS on the operating system is used as a file server for PC files, the files stored on the IFS may carry viruses. An infected file that is moved or saved from a PC to the IFS and then redistributed to another PC can transmit a virus to the new PC.

Moore explains, “With malware, IBM i is comparable to Typhoid Mary. Your IBM i server might not be affected by the malicious program, but it can act as a host and deliver mechanism, spreading the malware to the rest of your network.”

It’s understandable to believe your system is safe if you’re not using the IFS. Robin Tatam has heard this before.

“The IBM i operating system itself uses the IFS, which means anyone running IBM i is using the IFS,” Tatam says.

The malware threat to these servers is real and the damage can be devastating, especially considering IBM i, AIX, and Linux are often used in industries that value reliability, such as finance, retail, and healthcare.

Recently, the healthcare industry has become a common target for ransomware. Giving healthcare providers timely access to patient data is essential to delivering quality care. The attackers know this and believe hospitals are more likely to pay the ransom to restore access to data.

“I worked with a healthcare organization after it was hit by two different malware attacks in one week,” says Carol Woodbury.

“The first one targeted and renamed directories; the second was ransomware. In the process of resolving the first attack, the company stopped sharing root. Fortunately, this reduced the data that was encrypted to just the PC of the user who opened the infected attachment.” 

There are three things every IBM i systems administrator should do to prevent malware from spreading throughout the system:

1. Do not share root. Sharing root shares not just the IFS but also /QSYS.LIB (all the libraries on the system). If root must be shared, reduce it to a read-only share.
2. Reduce the *PUBLIC authority of the root directory. Change the default of DTAAUT(*RWX) OBJAUT(*ALL) to DTAAUT(*RX) OBJAUT(*NONE). This is the equivalent of changing *PUBLIC(*ALL) to *PUBLIC(*USE).
3. Run native anti-virus software on all servers and keep it up to date.

No matter what server you’re using, regularly identify vulnerabilities and ensure the server is securely configured.

“By turning off services and network ports your applications you don’t need, you minimize your attack surface and give threat actors fewer places to reach you. This reduces your vulnerability even before you run a virus scan,” says Erdman.

There’s still a perception that viruses don’t exist in the IBM i, AIX, and Linux environments. While they may not be the most common targets, threat actors are increasingly shifting their focus to secondary targets like these servers in the expectation that they will be less protected. And many organizations have experienced the reality: malware can have a devastating effect on IBM i, AIX, and Linux servers.

If you’re responsible for protecting these environments, scanning for malware needs to be part of your cybersecurity plan—especially if you’re covered by a compliance mandate that requires it, such as PCI DSS or HIPAA.

Here’s how you can best protect your mission-critical servers:

• Make sure you’re using anti-malware software that runs natively on the OS
• Update virus definitions daily
• Schedule weekly full-system scans
• Schedule daily scans over directories with sensitive data
• Scheduling can be done via cron tab (for AIX and Linux) or third-party software
• Review logs for scan results

If you’re not already scanning your IBM i, AIX, and Linux servers, now is the time to start. Remember the company with 248,095 files infected by CryptoWall? They had no idea malware was on their system until they can scanned for it.

Had the infection gone unchecked, there’s a good chance this company could have ended up like the others than experienced downtime and interrupted operations.

Recovering from a malware attack is expensive and difficult, but protecting your system is very simple. To see for yourself, start with a free virus scan from HelpSystems. We’ll guide you through the process, and any viruses on your server will be detected and removed.