IBM Christmas card attach: CS571

1. IBM Christmas Card
Gauri Pulekar
CS 528
Spring 2015

2. Season Of Joy And Gifts

3. History
of the
Christmas Card
Malware

4. Christmas 1999
 WM97/Melissa-AG virus infected Microsoft word
documents, spreading via email
 Subject line: “Message from <username>”
 Message: “This document is very Important and you've
GOT to read this !!!”.
 Payload trigger on December 25th

5. • Attempt to format the C: drive on the next reboot.
• Insert randomly colored blocks in the current Word document

6. Christmas 2000
 W32/Navidad virus spread via email, masquerading as an electronic
Christmas card.
 Mysterious blue eye icons in the Windows system tray
 Mouse over the eyes

7. Christmas 2000
 W32/Music email-aware worm
 Message: "Hi, just testing email using Merry Christmas music
file, you'll like it.”
 Worm attached as a file called music.com, music.exe or
music.zip.

8.  Plays the first few bars of the song
 "We wish you a Merry Christmas”
 Displays a cartoon of Santa Claus with the caption
 "Music is playing, turn on your speaker if you have one"
 or "There is error in your sound system, music can't be heard."

9. Christmas 2001
 Maldal virus spread via email using a seasonal electronic
greeting card called Christmas.exe.
 Picture: Santa Claus on skis accompanied by a prancing
reindeer
 Message: "From the heart,
Happy new year!".

10. IBM
Christmas
Card
The
Beginning
Of the
Story

11. IBM Christmas Card: Facts
 When: 09th December 1987
 Name: Christmas Tree Exec
 Place of Origin: Germany
 Significance: Worms were first noticed as a potential
computer security threat
 Effect: It brought down both the world-wide IBM
network and BITNET
 Source Language: REXX

12. Behavior
 E-mail Christmas card
 Subject line "Let this exec run and enjoy yourself!”.
 Included executable code.
 Claimed to draw a Christmas tree on the display.
 The user had to execute the program by typing christma
or christmas.

13. • Displayed an ASCII Christmas tree.

14.  A comment inside the source code:
browsing this file is no fun at all just type
CHRISTMAS from cms
 Sent a copy to everyone on the user's address lists.

15. Working
 Read the files:
 NAMES: Collection of information about other users with
whom you communicate
 NETLOG: File transfer log
 Mailed itself to every email address
 Approximate number exceeded 1,000
 People trusted it, because it was coming from a regular
correspondent

16. The Name: CHRISTMA EXEC
 IBM VM systems originally required file names to be formatted
as
8 characters + space + 8 characters
 IBM required REXX script files to have a file type of "EXEC”

17. Source of the Christmas card
 A student at the University of Clausthal in West
Germany
 REXX scripting language: a shell script-like language for
IBM’s VM/CMS system
 Found by December 21
 Barred from using his/her system.
 “The damage was unintentional and that the program
was written to send Christmas greetings to my friends.”

18. Damage Done
 Worm itself wasn’t malicious
 Exponential growth patterns
 Clogged servers, communication paths, spool directories
 Unintentional denial of service attack

19. Damage Done
 EARNet:
 The European Research and Education Networking
Association (TERENA)
 BITNET:
 BITNET was an university computer network founded in
1981s at the City University of New York (CUNY) and Yale
University
 Destroyed by December 14th

20. Damage Done
 IBM's VNet electronic mail network
 International computer networking system deployed in the
mid-1970s.
 Developed inside IBM
 Provided the main email and file-transfer backbone for the
company
 December 15th
 Paralyzed on 17th December
 Brought to a standstill two days later, only getting rid of the
worm by shutting down the network.
 In 1990, Christmas Tree resurfaced after being posted to
Usenet. IBM was forced to shut down its 350,000-terminal
network

21. Countermeasures Taken
 Programmer at Cornell University had written a simple
program
 Examined the network queues every five minutes and delete any
files called Christma Exec;
 Purged about 300 copies in four and a half hours.
 Other operators did the same, writing and passing around ad-
hoc program to eliminate copies of the worm.

22. Countermeasures Taken
 Such simple tools could only sample the queues every few
seconds and purge what they found
 Worm could still sneak through to a limited degree.
 In Israel, one programmer wrote a program “anti-Christma
Christma,”
 Examined users’ netlog to determine whether they had been
victimized
 If yes, the new Christma would retrieve any copies of the
original that had not yet been read by the addressee and then
send itself onward to the same set of targets used by the
original Christma.

23. Debate: Trojan or Worm
 Trojan:
 Appear to be useful, but will do damage once installed
 Required the user to download and run the attachment to
make it replicate
 Worm:
 Virus Encyclopedia refers to it as a worm.
 Worms move from one computer to another regardless of any
human action

24. References
 Burger, Ralf (1988). Computer viruses - a high tech disease. Abacus/Data Becker
GmbH. p. 276. ISBN 1-55755-043-3.
 Capek, P.G.; Chess, D.M.; White, S.R.; Fedeli, A. (2003). "Merry Christma: An Early
Network Worm". Security & Privacy 1 (5): 26–
34. doi:10.1109/MSECP.2003.1236232.
 Martin, Will (March 4, 1988). "Re: BITNET Security". Security Digest (Mailing
list). Archived from the original on September 25, 2006. Retrieved October
30, 2008.
 Patterson, Ross (December 21, 1987). "Re: IBM Christmas Virus". RISKS
Digest (Mailing list). Retrieved October 30, 2008.
 "Viruses for the "Exotic" Platforms". VX Heaven. Archived from the original on
August 6, 2013. Retrieved October 30, 2008.
 Otto Stolz. VIRUS-L Digest, Volume 5, Issue 178, "Re: CHRISTMA: The "Card"!
(CVP)". 1992.11.12

25. Time to Discuss!
Trojan ?
? Worm

26. Thank
You