54 Are mainframe computers susceptible to computer viruses?
Description
This article is from the Computer Viruses FAQ, by Nick FitzGerald n.fitzgerald@csc.canterbury.ac.nz with numerous contributions by others.
54 Are mainframe computers susceptible to computer viruses?
Yes. Numerous experiments have shown that computer viruses spread very
quickly and effectively on mainframe systems. To our knowledge,
however, no non-research computer virus has been seen on mainframe
systems. (Despite often being described as such, the widely reported
Internet Worm of November 1988 was not a computer virus by most
definitions, although it had some virus-like characteristics.)
Many people think that computer viruses are impossible on mainframe
computers, because their operating systems provide means of protection
(e.g., memory protection, access control, etc.) that cannot by bypassed
by a program, unlike the operating systems of most personal computers.
Unfortunately, this belief is false. As demonstrated by Fred Cohen in
1984, access controls are unable to prevent computer viruses--they can
only slow down the speed with which viruses spread. If there is a
transitive path of information flow from one account to another on a
mainframe computer, then a virus can spread from one account to the
other, without having to bypass any protections.
Consider the following example. The attacker (A) has an account on a
machine and wants to attack it with a virus. In order to do this, A
writes a virus and releases it. Due to the protection provided by the
operating system, the virus can only infect the files writable by A. On
a typical system, those would be only the files owned by A.
However, A is not alone on the system. A works with B on some joint
projects. At some time, B might want to check how far A has progressed
in her/his part of the project. This might involve running one of the
programs that A has written--programs that are now all infected with A's
virus.
On a sytem with protection based on discretionary access controls (e.g.,
Unix, VMS, and most other popular OSes), the program that is being
executed usually runs with the privileges of the user who is executing
it--not with those of the program's owner. (In the few instances where
this is not the case, it presents a different kind of security threat,
unrelated to viruses.) That is, when B runs A's infected program, the
virus in it will run with B's privileges and will be able to infect all
programs writable by B.
At some later time, A and B's boss, C, might want to check whether they
have completed that joint project. Even if the boss has reasons to
suspect A (e.g., as a disgruntled employee), s/he is likely to trust B
and execute one of her/his programs. This results in the virus running
with C's privileges (which are likely to be significantly greater than
those of A and B) and infecting all programs writable by C. Quite
possibly, these programs will include many owned by other employees,
thus creating many more distribution chains that nobody suspects.
The virus may interfere somehow with C's normal work, which causes C
(who is probably not very knowledgeable about such things as computer
security and viruses) to ask the system administrator, D, for help. If
D executes one of C's infected programs (and s/he is much more likely to
trust a respectable person like C--who is quite probably D's boss as
well--than any of C's employees), this will cause the virus that A wrote
a long time ago to run with system administrator privileges and do
whatever it wants with the system--infect other users' files, attack
other systems, etc.
A trivial improvement of the above scenario (in terms of speeding up the
virus' spread) would be for the attacker to place the virus in some kind
of Trojan Horse--for example, in an attractive game or utility--placed
in a publicly accessible area.
Why, then, are there so many fewer viruses for mainframe computers than
for personal ones? The answer to this question is complex. First,
writing a well-made mainframe virus--one that does not cause problems
and is likely to remain unnoticed--is not a trivial task. It requires a
lot of knowledge about the operating system. This knowledge is not
commonly available and the typical youngster who is likely to hack a
quick-and-dirty PC virus is unlikely to possess it or be in a position
to learn it. People who possess this knowledge are likely to use it in
more constructive, satisfying, and profitable ways. Second, the culture
of software exchange in the mainframe world differs considerably from
that of the PC world--we don't see many VMS users running around with a
bootable tape of the latest game... Third, very often it is easier to
attack a mainframe computer by using some security hole or a Trojan
Horse, instead of by using a virus.
So, computer viruses for mainframe computers are definitely possible and
several already exist (see question F1). Also, some IBM PC viruses can
infect any IBM PC compatible machine, even if it runs a "real" OS like
Unix. For more information, refer to questions D6 and E7.
Forms of malware other than computer viruses--notably Trojan Horses--are
far quicker, more effective, and harder to detect than computer viruses.
Nevertheless, on personal computers many more viruses are written than
Trojan Horses. There are two reasons for this:
1. Since a virus is self-propogating, the number of users to
which it can spread (and cause damage) can be much greater
than in the case of a Trojan;
2. It's almost impossible to trace the source of a virus since
(generally) viruses are not attached to any particular
program.
For further information on malicious programs on multi-user systems, see
Matt Bishop's paper, "An Overview of Malicious Logic in a Research
Environment", available by anonymous FTP on Dartmouth.edu (IP =
129.170.16.4) as pub/security/mallogic.ps.
Continue to:
My Books
