PDA Viruses Could Get Nasty
Pests could easily run undetected on handhelds and spread quickly online, security expert warns.
Andrew Brandt, PC World
Thursday, July 29, 2004
LAS VEGAS -- Viruses that target handhelds can
be even more dangerous than their cousins that attack PCs, spawning
self-replicating programs that hide easily, a security researcher told
an audience of security professionals at the Black Hat Briefings
conference here this week.
The first virus aimed at Pocket PC handhelds, revealed last week,
could be far worse if it were modified slightly to carry a harmful
payload, said Seth Fogie, a vice president of Airscanner, which
develops security software for the Window Mobile platform.
The benign WinCE4.Duts.A (or just "Dust") virus
was created as a demonstration of threats against personal digital
assistants. However, Fogie noted, such programs could spread
stealthily, logging keystrokes on the Pocket PC's "soft keyboard," and
sending data stored on handhelds across the Internet.
Fogie demonstrated several malicious tools he
has created. The programs work properly only on Pocket PCs that use ARM
processors--the same kind of devices that are vulnerable to the Dust
virus. Such devices make up the majority of Pocket PC handhelds sold
Among Fogie's tools are a keystroke-logging
program, a virtual remote control application that runs undetected, and
an FTP server applet that could be modified to run invisibly in the
background. Rogue applications of these sorts typically spread as Trojan horse programs when PCs are infected with a virus. They allow virus writers to steal or manipulate data, or to make mischief.
The Dust virus is only a proof of concept,
carrying no malicious code or destructive programming. In fact, the
virus actually asks the handheld's owner for permission to install
itself, and in Fogie's demo it obeyed when the "no" button is clicked
on its dialog box.
Most disturbing is that only a few characters of
code need to be changed to force the handheld device to store or run
the programs without the user's being aware of them. Only a hard,
factory reset that wipes out the device's entire memory will remove the
dangerous payload applications.
Fogie's company is developing a software
firewall that runs on Pocket PCs. He says that he expects the company
to distribute the tool "free for private, nonbusiness users," similar
to the ZoneAlarm firewall for Windows.
Also speaking at the conference were noted virus
researcher Sarah Gordon and Yuji Ukai, a software engineer at EEye
Digital Security, which identifies many application vulnerabilities.
Gordon presented her analysis of how magazines and antivirus companies
test antivirus software. Ukai is recognized as the discoverer of the
LSASS vulnerability in Windows that the many versions of the Sasser worm later exploited.
Coders using the monikers HD Moore and Spoonm demonstrated a tool they created called MetaSploit,
which Spoonm described as a comprehensive platform for testing various
exploits against operating systems and applications. In fact, six new
kinds of tools for security professionals were announced at various
sessions. Among them are applications designed to circumvent so-called
Honeynets, or decoy servers that are used by researchers, and an
application that can hide data inside executable applications.
Black Hat continues through Thursday at Caesar's
Palace, when the Defcon hackers' conference kicks off at the Alexis
Park Hotel. Las Vegas residents, by now accustomed to the annual hacker
pilgrimage, were warned to lock down or turn off their wireless
networks for the week.
Printer Friendly Version