Embed Size (px)
Citation preview
IBM Christmas Card
Gauri PulekarCS 528
Spring 2015
Season Of Joy And Gifts
History of the
Christmas Card Malware
Christmas 1999 WM97/Melissa-AG virus infected Microsoft word
documents, spreading via email
Subject line: “Message from <username>”
Message: “This document is very Important and you've GOT to read this !!!”.
Payload trigger on December 25th
• Attempt to format the C: drive on the next reboot.
• Insert randomly colored blocks in the current Word document
Christmas 2000W32/Navidad virus spread via email, masquerading as an electronic
Christmas card.
Mysterious blue eye icons in the Windows system tray
Mouse over the eyes
Christmas 2000W32/Music email-aware worm
Message: "Hi, just testing email using Merry Christmas music file, you'll like it.”
Worm attached as a file called music.com, music.exe or music.zip.
Plays the first few bars of the song "We wish you a Merry Christmas”
Displays a cartoon of Santa Claus with the caption "Music is playing, turn on your speaker if you have one" or "There is error in your sound system, music can't be heard."
Christmas 2001Maldal virus spread via email using a seasonal electronic
greeting card called Christmas.exe.
Picture: Santa Claus on skis accompanied by a prancing reindeer
Message: "From the heart, Happy new year!".
IBM Christmas Card
The Beginni
ngOf the Story
IBM Christmas Card: FactsWhen: 09th December 1987 Name: Christmas Tree Exec Place of Origin: GermanySignificance: Worms were first noticed as a
potential computer security threat Effect: It brought down both the world-wide IBM
network and BITNET Source Language: REXX
BehaviorE-mail Christmas cardSubject line "Let this exec run and enjoy
yourself!”.Included executable code.Claimed to draw a Christmas tree on the display. The user had to execute the program by typing
christma or christmas.
• Displayed an ASCII Christmas tree.
A comment inside the source code:browsing this file is no fun at all just type
CHRISTMAS from cms
Sent a copy to everyone on the user's address lists.
WorkingRead the files:
NAMES: Collection of information about other users with whom you communicate
NETLOG: File transfer log
Mailed itself to every email addressApproximate number exceeded 1,000People trusted it, because it was coming from a
regular correspondent
The Name: CHRISTMA EXECIBM VM systems originally required file names to be formatted
as 8 characters + space + 8 characters
IBM required REXX script files to have a file type of "EXEC”
Source of the Christmas card
A student at the University of Clausthal in West Germany
REXX scripting language: a shell script-like language for IBM’s VM/CMS system
Found by December 21 Barred from using his/her system. “The damage was unintentional and that the
program was written to send Christmas greetings to my friends.”
Damage DoneWorm itself wasn’t malicious Exponential growth patternsClogged servers, communication paths, spool
directories Unintentional denial of service attack
Damage DoneEARNet:
The European Research and Education Networking Association (TERENA)
BITNET: BITNET was an university computer network
founded in 1981s at the City University of New York (CUNY) and Yale University
Destroyed by December 14th
Damage Done IBM's VNet electronic mail network
International computer networking system deployed in the mid-1970s.
Developed inside IBM Provided the main email and file-transfer backbone for the
company December 15th
Paralyzed on 17th December Brought to a standstill two days later, only getting rid of the
worm by shutting down the network. In 1990, Christmas Tree resurfaced after being posted to
Usenet. IBM was forced to shut down its 350,000-terminal network
Countermeasures TakenProgrammer at Cornell University had written a simple
programExamined the network queues every five minutes and
delete any files called Christma Exec; Purged about 300 copies in four and a half hours.
Other operators did the same, writing and passing around ad-hoc program to eliminate copies of the worm.
Countermeasures TakenSuch simple tools could only sample the queues
every few seconds and purge what they foundWorm could still sneak through to a limited degree.
In Israel, one programmer wrote a program “anti-Christma Christma,”Examined users’ netlog to determine whether they had
been victimized If yes, the new Christma would retrieve any copies of
the original that had not yet been read by the addressee and then send itself onward to the same set of targets used by the original Christma.
Debate: Trojan or WormTrojan:
Appear to be useful, but will do damage once installed
Required the user to download and run the attachment to make it replicate
Worm: Virus Encyclopedia refers to it as a worm.
Worms move from one computer to another regardless of any human action
References Burger, Ralf (1988). Computer viruses - a high tech disease. Abacus/Data
Becker GmbH. p. 276. ISBN 1-55755-043-3. Capek, P.G.; Chess, D.M.; White, S.R.; Fedeli, A. (2003).
"Merry Christma: An Early Network Worm". Security & Privacy 1 (5): 26–34. doi:10.1109/MSECP.2003.1236232.
Martin, Will (March 4, 1988). "Re: BITNET Security". Security Digest (Mailing list). Archived from the original on September 25, 2006. Retrieved October 30, 2008.
Patterson, Ross (December 21, 1987). "Re: IBM Christmas Virus". RISKS Digest (Mailing list). Retrieved October 30, 2008.
"Viruses for the "Exotic" Platforms". VX Heaven. Archived from the original on August 6, 2013. Retrieved October 30, 2008.
Otto Stolz. VIRUS-L Digest, Volume 5, Issue 178, "Re: CHRISTMA: The "Card"! (CVP)". 1992.11.12
Time to Discuss!
Trojan ?
? Worm
Thank You
