Malware is a blended word for “malicious software,” computer code that infects and damages operating systems, programs, and data. Malware is a general term that covers many different threats, including viruses, ransomware, worms, trojans, rootkits, and spyware.
Malware doesn’t corrupt IBM i operating systems directly because it is usually transmitted inside corrupted stream files. i systems cannot execute stream file programs, so malware threats such as trojans, worms, rootkits, and spyware aren’t an issue with IBM i. But that doesn’t mean IBM i systems are safe from malware.
Malware and IBM i
The biggest malware threats to IBM i stream files are viruses and ransomware residing on its Integrated File System (IFS).
The IFS is a stream file repository that can host malware. Stream files are stored in the IBM i Integrated File System, where they are available to users through network file shares. Windows users can map network drives to IFS folders, where infected files can be uploaded to the IFS and existing IFS stream files can get corrupted. When users map drives to corrupted IFS folders, they can also download infected files from the IFS, spreading viruses through the network.
The i operating system also uses IFS stream files as inputs to other IBM i programs. Popular IBM i programs such as Web servers, fax servers, email servers, java processing, firewalls, and third-party utilities all use IFS stream files. When stream files used in those IBM i packages get infected, they can disrupt processing.
Here’s how viruses and ransomware work on IBM i, and why you need to protect your i systems from both threats.
Stopping viruses stored on the IBM i
Viruses can be uploaded to IBM IFS folders when Windows users map network drives to IFS folders. They can also be uploaded when an IBM i system exchanges information with other servers, using utilities such as FTP, data transfer, or the QNTC file system. Since IBM i systems don’t execute stream files, virus damage is limited to corrupted IFS files that can be transmitted to other devices or affect processing that uses IFS stream files.
You can attempt to manually identify, isolate, and restore IFS infected files or you can use an IBM i anti-virus program such as iSecurity Anti-Virus. While you could map an IFS folder to a mapped Windows drive and use PC or server anti-virus software for virus protection, it’s better to use an IBM i anti-virus program because it can scan all of your IFS’s stream file folders rather than only those IFS folders that are mapped to a network drive.
Anti-virus software provides on access and real-time protection, scanning IFS files as they are written to or updated on the IFS. It can also scan existing IFS folders on demand. The software uses anti-virus signature files downloaded from the Internet to determine what viruses to look for. Signature files are constantly updated to catch the newest viruses, so make sure your package automatically downloads the latest signature files daily.
Infected files can be automatically marked, deleted, or moved to a quarantine area. Marking files allows you to identify and leave potentially infected files in place, in case the files were mistakenly identified as viruses. Deleting infected files removes them entirely from your system. Quarantining an infected file moves the file to a safe place that only the anti-virus software can access. Quarantined files can be deleted or restored, as needed. IBM i anti-virus software doesn’t fix infected files the way Windows-based anti-virus may attempt. Instead, IBM i anti-virus software marks, isolates, or deletes infected files, and an IBM i admin would restore earlier versions to the IFS from a clean backup, as needed. But be careful to ensure that your backup doesn’t contain infected files that will be restored to the IFS.
IBM i anti-virus programs also contain several i-specific features not available with PC-based anti-virus programs, such as built-in alerting on your IBM i and sending alerts via email, texts, to QSYSOPR or ro syslog. Some IBM i anti-virus processing even allows anti-virus processing to be offloaded to an independent server using the Internet Content Adaptation protocol (ICAP), which reduces the virus scanning footprint of your IBM i servers.
Several industry regulations such as the Payment Card Industry Data Security Standard (PCI DSS) require anti-virus software to be used on all file serving devices.
Some people try to manage IFS viruses without an anti-virus package, but that is ill-advised. Having an anti-virus package is like having a bouncer at the door. It scans and stops viruses before they come in and handles any viruses that do sneak by.
Stopping and responding to IBM i ransomware attacks
When a computer infected with ransomware software attaches to the IBM i IFS, it encrypts files in its attached IFS folders and then changes the file names and extensions for the newly encrypted files, making them unusable to any application. Although the ransomware isn’t running on the IBM i, IFS files are modified and encrypted once the ransomware infected computer finds the IFS.
After activation, the ransomware attackers announce themselves and post instructions to pay a ransom in bitcoin to unencrypt and rename your IFS files. Ransomware usually removes itself after activation, but it may remain active on your IFS or in the attacker’s operating system.
Companies generally have three choices when encountering ransomware. First, they can pay the ransom to the ransomware’s authors. If you pay the ransom per the attacker’s instructions, you may get a decryption key that will allow you to unencrypt and rename your files. However, according to the 2019 Cyberedge Group Cyberthreat Defense Report, 45% of ransomware victims paid their attackers that year but only three out of five firms that paid the ransom successfully recovered their data. There is no guarantee that paying your ransom will restore your IFS data.
The second option is to restore any IFS folder that has encrypted files, rather than pay the ransom. If you restore, you must be careful to restore IFS data from a clean copy that does not contain any infected files. You may need to have use several archived versions of your IFS data to do this.
The third option is to try to stop the ransomware attack before it occurs by installing an IBM i anti-virus software that provides ransomware protection, such as iSecurity Anti-Virus, or by using an IBM i anti-ransomware program, such as iSecurity Anti-Ransomware. These packages will monitor for and flag ransomware attacks as they are happening. You may also want to install anti-malware software with ransomware protection on any devices that attach to your IFS.
Ransomware attacks on your IFS are technically reversible, if the attacker provides you with the correct key, you have a reliable backup of any IFS folders without viruses or ransomware, or you have good anti-ransomware software. Since ransomware makes your IFS files unusable, be sure you have a good ransomware response plan in place.
Preventing viruses and ransomware on your IBM i
Here are some tips for avoiding and minimizes IBM i virus infections and ransomware attacks.
- Keep PCs or laptops that attach to your IFS up to date and install anti-virus and anti-malware software–IBM IFS infections occur because a connecting device has a virus or ransomware. Make sure these companion devices have the right software installed and that their software is up to date.
- Install anti-virus and anti-ransomware software on your IBM i—Don’t neglect your IBM i and its IFS. As with PC anti-malware software, keep these packages up to date. Make sure your anti-virus and anti-malware signatures are updated daily.
- Don’t give your users administrative rights on their devices—Administrative passwords allow users to install software and modify their devices. Have your users sign on as regular users without admin privileges to ensure that they are not installing unsafe software.
- Don’t install unknown software on your user devices—All software should come from approved sources. One of the primary sources for enabling viruses and ransomware comes from installing corrupted programs on a device. Make sure all software installation and modifications are approved by your IT department.
- Restrict your IFS shared folder permissions—Limit IFS infections by limiting the number of users who can create and modify IFS files.
- Backup your IFS on a regular basis and keep archived versions—If a virus or ransomware hits your IFS, be prepared to restore copies from before the infection occurred. Don’t assume your backups are virus free.
- Educate your users about how viruses and ransomware spreads—Make sure your users understand how their actions can spread viruses and ransomware. Teach them avoidance behaviors to protect their devices and the IFS.
For more information on controlling viruses and ransomware on your IBM i, contact us at SEA. We keep IBM i servers safe.