MyDoom Puts iSeries IFS in the Virus Spotlight
February 10, 2004 Alex Woodie
As the tidal wave of e-mails infected with the MyDoom virus continued to circulate across the Internet last week, OS/400 security software vendors emphasized the importance of checking the iSeries Integrated File System (IFS) for Windows viruses. Bytware, which launched the first native OS/400 virus scanner last year, reported that some of its customers found MyDoom on their IFS systems, while Kisco announced a new deal with Symantec to distribute Norton AntiVirus 2004 with Kisco’s OS/400 security software, for PC-based IFS scanning.
By some experts’ estimates, MyDoom became the most prolific Windows virus to date when it hit the Internet two weeks ago. The virus, which travels by e-mail attachment, installs a stealth program when activated that turns the victim’s computer into a node used by the virus writers to launch denial-of-service attacks. The first MyDoom variant spawned a DoS attack that crashed the Web site of the The SCO Group, while a second variant was less successful in its attempt to bring down Microsoft‘s robust Web site.
MyDoom can enter the iSeries IFS in two ways, according to Bytware, which is based in Reno, Nevada. It can get there through an e-mail that has passed through OS/400, or the worm can copy itself to the iSeries IFS from an infected client PC, without the user’s knowledge. Either way, once MyDoom, or any other virus, has entered the IFS, the only feasible way to remove it is to scan the IFS with antivirus software and delete the little bugger.
For years, mapping the IFS to a PC equipped with standard antivirus software was the only way to treat an infected IFS. While such a process can get the job done, it requires a bit of manual work to configure, and it can create security holes of its own if not done correctly. (Check IBM’s Web site for tips on proper PC-based IFS scanning techniques.
PC-based IFS antivirus scanning can also be extremely slow when there are many files in the IFS that need scanning, because it must move the files over the local area network. Also, PC-based scanning will not always clean all viruses from the IFS, Bytware says. For these and other reasons, a native OS/400 antivirus scanner provides a more elegant and secure solution, which is why it was on the iSeries’ Large User Group list of requirements for years.
Last June the LUG’s wishes were answered when Bytware launched StandGuard Anti-Virus, which provides a native OS/400 implementation of Network Associates‘ McAfee antivirus software (see “Bytware Launches OS/400 Antivirus Software to Treat IFS Infections” for more product information). Bytware officials report that the product, which costs between $750 and $10,000 (depending on the processor size) per OS/400 logical partition to license, has been well-received in the marketplace.
One company that uses Bytware’s StandGuardAV, Saint-Gobain Containers, in Muncie, Indiana, installed the software to cut IFS scan times, as well as to provide a second layer of antivirus protection. Saint-Gobain has two iSeries servers that used quite a bit of IFS space for WebSphere, Domino, and Netserver workloads, says Mike Crump, an employee in the company’s IT department. “Using our existing product [from antivirus software provider Sophos] with mapped drives worked fine, but we were getting huge run times,” he says. “In one case I cut my run time from six hours to one hour” with StandGuardAV.
Like most shops that follow good security practices, Saint-Gobain also runs antivirus software on its front-end PCs, which provides real-time virus scanning of infected e-mails as they hit the company’s network. As a result, Crump has not discovered MyDoom, let alone any other virus, on his company’s OS/400 servers. “I do like the product,” Crump says of StandGuardAV. “The product is easy to install and implement. Processing product updates and definition updates is very nice. . . . It is a bit pricey, in some perspectives, but in our case it was worthwhile.”
Another OS/400 shop found MyDoom on its iSeries IFS. The company’s IT administrator, who asked to remain anonymous, said MyDoom made its way into the IFS when infected e-mails sent to generic e-mail addresses, such as firstname.lastname@example.org, actually corresponded with valid e-mail addresses at the company, even though those employees didn’t use OS/400’s e-mail facilities. (OS/400 gave them SMTP e-mail addresses by default.)
The administrator had downloaded a trial version of Bytware’s StandGuardAV just as the MyDoom virus storm hit in late January. The administrator noted that StandGuardAV’s e-mail scanning capabilities picked up most of the viruses that bypassed their PC-based Norton AntiVirus defense and made it to the OS/400 SMTP server. However, a patch for the software the administrator installed caused StandGuardAV’s e-mail scanning capability to stop working, which is when StandGuardAV’s IFS scanning kicked in and found MyDoom. The administrator says that overall he was very pleased with the way StandGuardAV worked, and is considering licensing the software, provided the patch is fixed. Bytware is working with IBM to fix the problem.
For those customers who can’t justify the native OS/400 antivirus solution, mapping a PC to the iSeries IFS for remains their only option for detecting viruses and worms on the IFS. OS/400 shops have been doing this for years, but recent publicity of the IFS’s penchant for serving as an unwitting Typhoid Mary-esque virus repository has stepped up vendors’ attention to the problem.
Kisco Information Systems last week announced its antivirus solution for the IFS: an agreement with Symantec to distribute copies of Norton AntiVirus 2004 that are good for 90 days with the Advanced and Enterprise editions of its SafeNet/400 OS/400 network security and exit point software. Along with the copy of the Norton software, Kisco is providing a set of suggestions and procedures on how best to use Norton AntiVirus for periodic scanning of the iSeries IFS from a PC.
Rich Loeber, president of the Saranac Lake, New York, software company, says his company’s approach to IFS scanning provides a “compromise” between a native OS/400 scanning solution and doing nothing. “There are areas of the IFS that probably need to be scanned only infrequently, and others more frequently,” he says. “If customers aggressively use any antivirus software at the various entry points where viruses originate, that is always going to be their best protection. Using the Norton AntiVirus will let them periodically check the vulnerable areas of the IFS just in case viruses get past the initial point of checking.”
In December, Kisco launched new editions of its SafeNet/400 software that featured a new GUI management console (see the recent Kisco story.) SafeNet/400 Advanced includes the GUI and can manage a single OS/400 server, starting at $2,495 per server. SafeNet/400 Enterprise is similar to the advanced edition and adds the capability to manage multiple OS/400 servers; it starts at $4,495. Go to www.kisco.com for more information.