Viruses, Trojans and Hackers I

This is the one of several network security related topics included in our Technical Notes. The intent of these articles is to present you with a fundamental understanding of the threats against your HP3000 and the impact these threats may have. Moreover, you will be able to converse intelligently with network and security administrators regarding the risks the HP3000 has on the Internet and Intranet.

To my knowledge there has never been a reported case of a virus that runs on an HP3000 system. That’s not to say that a virus couldn’t be written to run on MPE, just that there have been none. A virus can be loosely defined as a program that does harm to the host and/or actively seeks out other hosts to spread to. Nevertheless, a system can certainly be affected by the activity of viruses on other systems on your network or that there will never be a HP3000 specific virus.

Here are some of the ways in which “the deadly three” on your network can affect the HP3000.

Systems utilizing SAMBA to provide file sharing to network users are possibly open to files from the deadly three being stored on the HP, just as with any other file server. A hacker may store illicit files in this space. Alternatively, Windows executable files that are infected with a virus can be stored on the HP. An important distinction is that Windows executables will not run on the HP3000. Hence, if viruses are found in files stored in SAMBA shares on the HP3000, the HP3000 is not infected with a Windows virus, it is merely a holding area storing files that are infected.

The HP3000 performance may suffer indirectly if a very active virus, trojan or hacker is busy transmitting large amounts of network traffic, or trying to infect other systems on the network. This situation can cause the network to be over loaded. Consequently, performance on the HP3000 may be impacted.

While a virus or trojan may not be able to run directly on the HP3000, an infected machine may attack a generic service such as FTP on the HP3000 in an attempt to spread. This can cause what appears to be a denial of service attack where legitimate connections are refused due to MPE running out of network buffers. Similarly, the use of large amount of CPU to process invalid (or in some cases valid) requests can cause response time delays or connection problems. FTP is just one example. Others include the flooding of other services with requests, such as SNMP, Sendmail, Bind, Telnet, TFTP, SAMBA, Time and others.

Similar to denial of service attacks is a type of attack known as a “buffer overruns.” A buffer overrun is when code is sent to another system as data and then the program is “tricked” into executing the code. Sometimes this is used to gain access to the target machine. Other times it has been used to simply initiate a denial of service attack. Recently SENDMAIL on Unix/Linux based systems was a target of a buffer overruns attack. Windows and Unix systems are susceptible to buffer overruns based on their architecture. On the other hand MPE is not. MPE has a strict separation between data and code. When a program attempts to execute a memory address that is classified as data the program will abort with the familiar “data memory protection trap” error. The end result is the attacker will not achieve the results the attacker was hoping for which is to either gain access to the machine or cause the target system to do harm unto itself. While this may cause a denial of service situation, it means that the system itself was not compromised.

An HP3000 can exhibit other symptoms indicating network problems or a situation that requires investigation. For example, large numbers of failed connection attempts seen as blank lines in the $STDLIST from JINETD. Console error messages such as “Cannot FWRITE $STDLIST during logon” which means the system that initiated a VT connection closed the socket before sending a logon request. Failed logon attempts for TFTP or other users you are unaware on the console. A large number of SNMP requests being processed by the system are often seen by performance issues where SNMP take a large amount of CPU. These could be the result of a hacker attempting to gain access, a port scanner that is trying to determine what network services the HP3000 is providing, or a network monitor or analyzer.

It used to be said that MPE benefited from “security through obscurity” due to the fact that little was known about MPE outside of the install base. The Internet has changed all of that. Systems are now connected to the Internet and vast amounts of technical material concerning MPE is available online. Clearly we aren’t in Kansas anymore.