Hiding Places for Malicious Code

By Rich Loeber

The last time I wrote, it was about tracking down hidden programs on your system that you might not know about (see article). That time, it was trigger programs that could be sitting on your system just waiting for a specific event. But, as I've thought about this issue since then, there are other places where someone could "hide" a call to a malicious program and easily get overlooked.

This time, we'll look at two other areas for concern. These are the system job scheduler and exit programs. Both are ways that someone intent on doing harm to your system could hide some malicious program waiting for something to happen so it can jump out and cause problems. In each case, the IBM i OS contains a way to review the programs that are sitting there and you should take a look periodically to see how each is being used on your system.

The IBM i OS has had a nice, easy to use job scheduler built into it for a long time now. Most shops where I've done consulting work seem to know about it and use it for regularly scheduled jobs. But, that also means that the programming staff is aware of it and could misuse or abuse it.

To review the current contents of the system job scheduler, use the i/OS command Work with Job Schedule Entries (WRKJOBSCDE). This command will display information about every job in the system job scheduler. It will tell you what the job is, how it is invoked and when it is next scheduled to run. You should review each entry to make sure that you know what it is doing and when it is next scheduled to run. A suspicious job, to me, would be one that is not set to run for quite a while in the future. Most scheduled jobs happen frequently, either on a daily, weekly or monthly basis. If you see something on a different schedule than one of these, I'd pay particular attention.

Another place you need to periodically review are the registered exit point programs on your system. Exit points are hooks into i/OS processes. These are provided in the i/OS so customers can add their own customized processing called from the OS during normal operations. For example, many of the third party network security products now available on the market (including our own SafeNet/i) use exit points to add security checking to the various network operations in i/OS. The potential problem is that a rogue program could get registered to an exit point just waiting for a specific OS event to occur before it jumps up and gets noticed.

To review exit programs registered on your system, use the i/OS command Work with Registration Information (WRKREGINF). This will display a list of the i/OS exit points on your system, and remember that they are different for every level of the OS. For each exit point, use the option '8' to see if there is a registered exit program for the exit point. If you find any, make sure that you know what they are there for. Don't be surprised to find some exit programs already registered. If you are using a network security system, you should find many programs registered. Also, some come registered with i/OS. For example, you will find that the IBM product Service Director, uses some of the exit points as does the i/OS Mail Server Framework (MSF). Just make sure that you can identify each program that shows up as a result of your review.

If you have any questions about anything in this tip, just ask me and I'll give you my best shot. My email address is rich at kisco.com. All email will be answered.