Christmas Tree EXEC

Hi guys!!

To be honest with you, I want to post Christmas-themed articles in December because, well, it’s the holiday season. But let me tell you, it’s way easier in terms of cooking, but it’s a little more complicated in terms of cybersecurity. So I essentially looked up online for malwares with a Christmassy name (😂) and came across this one. I researched more about it and found it rather interesting because it was quite early (before the 1990s), and this is what I discovered.

Christmas Tree EXEC was a computer worm disguised as a harmless holiday card that spread quickly over email and overloaded networks all around the world. The scenario is very familiar now, yet it happened to business and academic mainframes in 1987, when the computer virus issue was in its infancy.

A bit of technical jargon:

The internal file transfer network used by IBM in 1987, known as VNET, was created in the mid 1970s. VNET evolved quickly to connect numerous IBM facilities and computers throughout the world. By 1983, it had linked 1,000 corporate nodes, the majority of which were massive mainframe computers serving thousands of people. The VM/370 operating system was installed on the vast majority of these computers. Many IBM clients, including universities and businesses, were utilizing VM/370 by the early 1980s, and practically all IBM office workers were using a VM/370-based office system.

Bitnet was created in 1981 to connect Yale University with the City University of New York. In most ways, it was an exact replica of VNET. In 1982, a consortium of European universities, with significant funding from IBM, established a second network known as the EARN. Although it was managed as an independent network, it was also akin to a VNET. Bitnet and EARN were quickly linked, and IBM connected VNET to Bitnet in 1985.

The Conversational Monitor System (CMS) is an interactive system that allows users to run programs, edit files, send and receive email, and accomplish the majority of the activities we associate with computers today. CMS’s interactive environment allowed for improvement by users who were not experienced programmers. IBM’s invention of Rexx, a basic programming language, and its deployment as part of the VM/370 product in 1983 played a significant role in people creating small programs to help in their job. People with no formal technical expertise were now creating basic tools for their own use. Naturally, when networking capabilities extended and improved, these tools were shared, and spread further. People in this situation frequently shared new tools to their colleagues via email and file system, and applications that generated entertaining images on a user’s display screen were ubiquitous.

This activity peaked in the weeks leading up to Christmas each year, with a lot of time and effort put into building extravagant displays and online Christmas greetings, complete with falling snow and winking snowmen. Thus it was normal and expected that when numerous Bitnet users in various universities got a file named Christma Exec from another known user on the morning of Wednesday, 9 December 1987, their reaction was to read and execute it.

Christma sent the receiver a simple Christmas tree greeting (see image above). However, Christma, a Rexx software, spread behind the scenes and was not immediately obvious to users by sending a copy of itself to everyone in the victim’s contact book. After that, it deleted itself from the victim’s file system. Of course, when those targets received it, the process repeated again.

Christma began at a university site in Germany on the EARN network, which took many days to identify. It spread for roughly a day over multiple EARN and Bitnet sites and machines before being substantially controlled. However, because IBM’s VNET was linked to Bitnet, Christma found its way inside IBM as well, having a devastating impact. Understanding the contextual variations that created this larger effect is important since comparable characteristics in today’s networks influence how current network worms proliferate.

Never run anything that gets into your reader uninvited without thoroughly checking it out first, no matter who it comes from.

By December 12, the worm was under control. The only tangible impact of the incident was the loss of some innocent mail files as a result of an operator error when removing copies of Christma. EARN, Bitnet, and IBM network and executive staffs met to examine how the event occurred and what steps can be taken to avoid similar occurrences in the future.

The lessons learnt from the episode are similar to those found in any virus-prevention manual today: practice safe computing. Never run anything that gets into your reader uninvited without thoroughly checking it out first, no matter who it comes from.

Following that, IBM devised a virtual “big red button” a mechanism that network owners might execute in the event of a future emergency that would disconnect their network from all others. If administrators were alerted in time, they could theoretically press the red button before a virus infiltrated the internal networks. In practice, a warning is unlikely to arrive in time to be useful.

References:

E.C. Hendricks and T.C. Hartmann, “Evolution of a Virtual Machine Subsystem,” IBM Systems J., vol. 18, no. 1, 1979, pp. 111–142.

M.F. Cowlishaw, The Rexx Language, second ed., Prentice Hall, 1990.

M. Minow, “Yet Another Virus Program Announcement FYI,” Risks Digest, vol. 5, no. 72, 12 Dec. 1987.

D. Curry, “IBM Invaded by a Christmas Virus,” Risks Digest, vol. 5, no. 72, 12 Dec. 1987.

H. Orman, “A Fifteen-Year Perspective on the Morris Worm,” IEEE Security & Privacy, vol. 1, no. 5, Sept./Oct. 2003, pp. 35–43.

W.G. Rubin, “Management of a Central Node on a Dis- tributed RSCS Network,” SHARE, Aug. 1988.

S.R. White et al., “Anatomy of a Commercial-Grade Immune System,” Proc. Int’l Virus Bulletin Conf., 1999.