Christma Worm B efore computer viruses became a continual, worldwide problem, before the famous Inter- net worm, and even before the Internet itself, a network worm called Christma Exec spread rapidly through mainframe computers connected to worldwide networks. In 1987, system administrators, first in Europe and then around the world, found them- selves facing a threat they had never seen before—a pro- gram that replicated more rapidly than they could react. The worm spread into IBM, one of the most heavily net- worked environments at the time, clogging its network and forcing administrators to take parts of it offline. Sixteen years later, in an age of ubiquitous, reliable, high-speed networks, it is easy to forget the lessons we learned in that earlier time when networking was neither especially fast nor always available. From the point of view of viral spread, however, it turns out that both the envi- ronment and the way in which the Christma worm spread are remarkably similar to today. More important, the lessons we learned from that incident still apply to today’s caustic computer virus problems. This article reviews 1987’s relevant global networking environment, the way the Christma worm spread, the events surrounding its worldwide propagation, and the sur- prising effect it had once it got inside IBM. The computing community then took numerous technical measures to de- feat the worm and deal with similar events in the subsequent years. We can learn from these lessons to address today’s viruses and worms in our increasingly complex global com- puting network. The authors were involved with respond- ing to this threat and spent a number of hectic hours doing so. Little did we realize, at the time, that we were seeing the leading edge of a much broader problem. Before the Internet The internal file transfer network that IBM used in 1987, which came to be known as VNET, came into being in the mid 1970s. Based on software originally developed at IBM’s Cambridge Scientific Center, VNET grew rapidly to con- nect many IBM locations and machines around the world. By 1983, it connected 1,000 nodes within the corporation, most of which were large mainframe computers supporting hundreds or thousands of users. The majority of these com- puters were running the VM/370 operating system (OS), from which today’s z/VM is derived. (www.vm.ibm.com). By the early 1980s, many IBM customers, including uni- versities and companies, were using VM/370 as well, and nearly all IBM office workers were using a VM/370-based office system called PROFS. It was perhaps inevitable then that IBM’s customers should feel the need for a network similar to VNET for themselves. So Bitnet—formed Because It’s Time—was created in 1981, initially connecting Yale University and the City University of New York. In most technical respects, it was a copy of VNET, using the same software as IBM used inter- nally but serving primarily to interconnect academic insti- tutions. In 1982, a group of universities in Europe with sub- stantial support from IBM created a second network called the European Academic and Research Network. Although administered as an independent network, it also was similar to VNET. In short order, Bitnet and EARN were intercon- nected, and IBM connected VNET to Bitnet around 1985. IBM was cautious when establishing the interconnection and modified the software at its end to provide some protec- tion, so that only IBM staff with authorization could use the PETER G. CAPEK, DAVID M. CHESS, AND STEVE R. WHITE IBM T.J. Watson Research Center ALAN FEDELI IBM Business Partner for Managed Security Services Merry Christma: An Early Network Worm 26 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/03/$17.00 © 2003 IEEE ■ IEEE SECURITY & PRIVACY A computer worm disguised as a benign holiday greeting spread rapidly via email and clogged up networks world- wide. The story is all too common today, but this happened to corporate and university mainframes in 1987, in the infancy of the computer virus problem, even before the famous Internet, or Morris, worm.