Background.

For years, the robustness of the IBM i, and its predecessors, led to a confusion with both users and IBMers referring to the platform as the “most secure” instead of it being the "most securable platform”. The IBM i is the most securable platform and it becomes secure when the proper settings are applied, and the right policies are followed.

Something similar applied to Malware, for years there was a confusion with the statement “Malware cannot run on the IBM i”. It is known that someone, with the appropriate privileges, can knowingly or unknowingly write code on the IBM i to perform tasks that could generate data loss or damage to the System. Though this could be considered a Malware, IBM’s stand was meant to be that “no known Malware, programmed for other platforms, can run on the IBM i”.

As IBM i keeps evolving into a more complex system, supporting the latest technologies and trends, incorporating newer Open-Source Languages and features to improve the IBM i capabilities and the ease of use and Administration, this has changed.

A lot.

Infections over time.

IBM i (OS/400 back then) incorporated the IFS in 1994 with V3R1 in order to improve compatibility with the rest of the Operating Systems in any Company, the IFS is a Unix/Linux like, hierarchical file system where even QSYS.LIB resides, with all the native elements.

This new file system enabled the possibility for IBM i to have new file types and the ability to easily share data with Linux and Windows, and that’s when virus infections started showing on the IBM i. As these were mostly Windows Malware (worms, viruses, infected emails) they could not run on the IBM i, but the IBM i could act as a place where these malicious files would “hide” and then spread the infection across the Company Infrastructure. Antivirus like the Powertech Antivirus for IBM i, could detect those infections on the IFS and stop them from spreading to other platforms. The IBM i was not threatened by those infections.

Enter Ransomware.

A new kind of infection started gaining popularity among malign actors on the second decade of the XXI century, and this is the Ransomware. With the advent of cryptocurrencies, that make the payment of ransoms a lot easier with a certain degree of anonymity guaranteed, Ransomware attacks grew up exponentially, and this was the first Malware to cause a big concern among the IBM i users.

Ransomware would hit the Windows or Linux servers, and sometimes those servers had IBM i folders mounted that were treated just like any other folder or disk and got encrypted. Some shops were in an even worst condition as they were sharing the root of the IFS, they were operating under QSECURITY 20 (yes, in 2025 still on QSECURITY 20) or they had several users with *ALLOBJ special authority, with directories mounted on their Windows.

Since I joined Fortra in 2021 (HelpSystems back then), on my meetings with customers, I could not stress enough the need to set up the Anti-Ransomware as soon as possible since that was the clearest and most present danger to the IBM i. Some shops came to us after being hit with Ransomware and could not agree more.

A new threat?

Over the last four years, working with Powertech Antivirus for IBM i implementations on several customers, I was able to witness the reaction of customers to the results of the scans that we run, sometimes it was a nervous silence, or some chuckles. Most of them were really surprised to see what we found, with infections amounted to several hundred files.

I think that they did not consider that malware or viruses, that originally infected PCs, could reach the IFS of the IBM i. Some customers were alarmed, until I explained to them, after reviewing the logs, that the malware that we found was old W32 worms, Trojans, email Viruses or other Malware that could not run on the IBM i.

But this changed somehow, when I started finding viruses that I considered that could run on the IBM i.

About a couple of years ago, I was working on the implementation of Powertech Antivirus in an insurance company in Latin America. I normally review the results with the customers, but I don’t always get to see the entire log and what was detected, this time I managed to see all the results of the viruses that they found, and one of the viruses that was detected caught my eye:

This was a file written by a developer in PHP, and was installed on a PHP test server on the IBM i with PHP being a language that’s supported and can run on the IBM i.
Given my past as an IBM i Administrator and the devotion that I feel for the platform, considering the IBM official posture on Malware and the IBM i at that time, I concluded that even though this virus might run on the IBM i, it would not be able to cause harm to the IBM i or even access its data.
The customer understood the risks, the virus was removed, and I guess that the person working on that test website did not have a great afternoon.

Then again, last year, when working with a financial institution in the UK, I detected some similar infections, this time in multiple languages that could run on the IBM i. This made me think that there was something going on there, and that we had to investigate it somehow.

Malware and the IBM i.

At this point I brought up the issue, we started discussing these infections with the team of experts at Fortra and a decision was made to do a test with one of these WebShells. I was lucky to have the time and resources to do it.

So, I had a brief meeting with one of the members of the Core Impact Team, who works on writing “evil” exploits and stuff, and he indicated me a language that could be accessible to someone like me, with no skills on programming.

I did a search for code in that language on the IBM i and I found it on some pages, bear in mind that the IBM i uses several web interfaces to interact with the Administrators, and the files for those web interfaces reside on the IFS.

So, at that point the task was reduced to find an example of those WebShells, which was not that difficult, and make it run. I’m not sure who would read this, but most people don’t realize that open-source code is freely available everywhere, at your own risk to be used under your own responsibility.

Literally 10 minutes after I found the first code that I decided to try, it was running on one of my IBM i LPARs and, to my surprise, it was a remote shell that had access to the IBM i files, as well as to the objects under QSYS.LIB.

Here you can see the first screen shot that I took, still in disbelief. The file names are covered as I landed on the directory where I placed the WebShell file. (Yes, I use an annoying number of tabs, sue me)

After this first progress I found a second WebShell that looked a bit better, and I started working on something that we anticipated, some people may question. And this was something like “Ok, you have a code that’s written to allow people to access your IBM from the outside, with no username and no password. The IBM i is working as expected, how is this an infection?”. Yes, a delivery method so the code is “unwillingly” uploaded to the IBM i.

This next step was a bit more complicated though it was just a proof of concept, not meant to attack anyone anywhere, it would basically not pass any antivirus (I got contacted multiple times by Corporate Security) but it will proof that a skilled, malign, actor could create something more sophisticated that would fool someone into uploading the file to the IBM i.

The idea was simple, to create an “infected” version of Putty (just because) and wait for someone to click on the “Start an SSH Terminal” button on ACS (it seems that ACS adds that button if you have Putty in your system).

Normally that does not happen a lot but again, this was just a test and for some reason I found myself compelled to press that button. I just had to push the button 😊

As you can see, it brought up Putty but it was weird that I got a signon request before getting Putty. Then I entered my credentials inside Putty and I operated as I usually do (Yes, I use SSH a lot… to do… stuff… like, you know, SSH stuff). 

The problem is that the infected software uploaded malign code to a specific part of the IFS, on the spot that I found on my initial code search, where it could provide access to my LPAR from “the outside”.

I entered on my browser the address of the malign code and, as expected, it was there. No username and password were requested, I could browse the IFS, go to QSYS.LIB, download OBJECTS from LIBRARIES, execute PASE commands, and create, delete or rename files/objects.

Lucky, I’m protected by Powertech Antivirus for IBM i, so I run the scan, the infection detected the file and placed it on Quarantine. Now, we also provide on-access scan, but if I had it turned on it would have been complicated to have the Malware up and running. 😊

Lessons learned.

The IBM i has become, over time, a solid business platform that supports multiple open-source languages and it’s more compatible with its environment. This provides the IBM i with the possibility of complementing the best, and only, OS with an integrated Database Engine with great User Interface, a more modern look and feel, and bringing new Administrators/Programmers closer to the platform.

This has, as well, increased the dangers that we need to face as IBM i Administrators. Lucky for us, since V5R3 IBM i (iSeries back then) includes the tools for third-party Software vendors like Fortra to be able to scan files for viruses. Fortra Powertech Antivirus for IBM i is the only Antivirus that runs natively on IBM i thus being able to detect these infections, that do not depend on the IFS being shared with a windows PC.

Being aware of your perimetral security as well as scanning your files has become imperative for all IBM i users, it’s no longer the “Security by Obscurity” times, you cannot hide your IBM i from malign actors and you cannot hide behind “nobody knows how to code for IBM i”.

How about you? Do you scan your IFS for Malware? Do you have a Ransomware Protection?