|< Day Day Up >|
17.8 Airborne Viruses
Let us turn now to another rapidly growing wireless security threat ”wireless computer viruses. With the explosive growth of WLANs, cellular phone manufacturers and carriers have piggybacked on Wi-Fi in order to resuscitate their hopes for universal, high-speed wireless connectivity. Along with this growth in coverage and bandwidth has come an increase in the number and sophistication of mobile devices. There are currently hundreds of millions of PDAs and smart phones available worldwide, and the number is growing rapidly . With this phenomenal growth of "embedded" mobile devices, the threat of wireless viruses is likewise growing. Many of these handheld devices are potentially susceptible to some form of virus or hostile code that could render them nonfunctional. This section introduces various threats posed by airborne (wireless) viruses and hostile code.
Because of their susceptibility to viruses, handheld devices are potentially dangerous to a corporate network. Small business and home users also require protection from wireless viruses.
Malicious virus writers have a passion for owning new technology. New platforms such as Palm and Windows CE are highly attractive targets to virus and Trojan writers. Being the first to infect a new platform provides the virus writer with instant notoriety. As technology in the handheld device and wireless networking industries advances, virus writers have plenty of room for growth. In addition, the number of targets is growing at an exponential rate. In fact, the first viruses to target wireless devices and handhelds have already emerged.
For example, the Phage virus was the first to attack the Palm OS handheld platform. This virus infects all third-party application programs. Then the infected executable files corrupt other third-party applications in the host Palm handheld device.
Palm OS Phage spreads to other machines during synchronization. When the Palm device synchronizes in its cradle with a PC or via an infrared link to another Palm device, the virus transmits itself along with infected files.
The early handheld viruses spread slowly, since most PDAs were not wireless-enabled. However, with the growing prevalence of handheld wireless functionality, the threat grows as well. In fact, the modern Windows Mobile device has most of the ingredients for viral spread, such as a processor, RAM, writable memory, Pocket Microsoft Word, and even a Pocket Outlook mail client. Worse , unlike their desktop counterparts, security measures such as firewalls and virus scanners for handhelds are not widely used. Combine all this with an unsecured wireless link, and the potential for viral spread multiplies. The future may be even worse. With distributed programming platforms such as .NET, combined with Microsoft's Windows Mobile platforms, such as Pocket PC and Smartphone, the potential for viruses is even greater. Imagine a virus catching a ride on your "smart" watch (Windows CE) until it gets close enough to infect your corporate networks as you unwittingly drive by unsecured access points.
An example of a wireless virus is the Visual Basic Script-based Timofonica Trojan horse virus that hit a wireless network in Madrid, Spain. Like the "I Love You" email virus, Timofonica appends itself to messages you send and spreads through your mail client's contact list. In Timofonica, the Trojan horse sends an SMS (Short Messaging Service) message with each email across the GSM phone network to randomly generated addresses at a particular Internet host server. This can create annoying SMS spamming , or even a denial-of-service condition.
A similar denial-of-service attack occurred in Japan when a virus that sent a particular message to users on the network attacked the NTT DoCoMo "i-mode" system. The 911 virus flooded Tokyo's emergency response phone system using an SMS message. The message, which hit over 100,000 mobile phones, invited recipients to visit a web page. Unfortunately, when the users attempted to visit the page, they activated a script that caused their phones to call 110 (Tokyo's equivalent of the 911 emergency number in the United States). The virus overloaded the emergency response service and may have indirectly resulted in deaths.
From lessons in biology, we know that viruses infect every other organism, without exception, including even the tiniest bacteria. Thus, biologists and antivirus experts were not surprised to hear of the first malware infections of mobile devices. The first PDA virus appeared on the Palm platform in 2000.
The Palm OS has a different architecture from desktop computers, so it's less susceptible to immediate infections from existing desktop viruses. In addition, safeguards are built into the OS to help protect data at various points. Nevertheless, Palm eventually succumbed to its first virus. Experts predict future infections will be far worse.
The Palm has several potential methods of infection. For example, when the handheld is synchronized with its desktop counterpart , there is a transmission of data. Fortunately, most desktop viruses, even if rampant on the office machine, will not infect the PDA itself. In addition, this type of virus is usually picked up by desktop antivirus (AV) software. If a Palm does become infected, it can pass the infection back to other desktops: when the Palm carrying the infected file synchronizes with another remote desktop, it can pass the infection, much like the slow floppy disk infections of old (although transmission is much more difficult than with floppies).
Theoretically, there's also a potential for infection from new attacks that use existing desktop viruses as a vector. If a virus writer could "wrap" a Palm-specific virus in a desktop virus, the desktop AV software might not detect it. A user could unwittingly download the "clean" file from the desktop; when executed, the file would unwrap and release the Palm-specific virus. In addition, the Palm can potentially pass malicious code by infrared beaming. However, this feature requires the user to manually accept the infrared connection; there is no default promiscuous mode for Palm infrared reception . Beaming requires close physical proximity, usually four feet or less.
The greatest threat to handhelds, however, comes from wireless connections. In this case, the broadcast virus would totally bypass AV software on the desktop computer. The only way to protect against airborne viruses is at the wireless server or on the PDA itself. AV solutions for both the handset and the central server have been developed, but the technology is still in its infancy.
As mentioned earlier, Phage was the first Palm virus; it was discovered in September 2000. When the virus is executed, infected PDA files display a grey box that covers the screen, whereupon the application terminates. The virus infects all other applications on the Palm. When a "carrier" Palm is synchronized with a clean Palm, the clean Palm receives the Phage virus in any infected file. The virus then copies itself to all other applications on the clean Palm. The Phage virus can be removed by deleting any file that is infected. In addition, you must delete any occurrence of the file phage.prc from your backup folder. You can then reboot your Palm and resynchronize with the desktop.
Similarly, the Liberty Crack Trojan acts as a Trojan by coming in a disguise (although it does not open a backdoor). Liberty is a program that allows you to run Nintendo GameBoy games on the Palm OS. Liberty is shareware, but like all useful shareware it has a crack that converts it to the full registered version. The authors of Liberty decided to pay back the pirates by releasing a "crack" for Liberty that was actually a virus. The authors distributed it on IRC. Unfortunately for the pirate, when executed the Liberty Crack Trojan deletes all applications from the PDA. The Liberty virus spreads through desktops and wireless email. In fact, it may be the first known PDA virus to spread wirelessly in the real world.
Another virus, known as Vapor , does just what it sounds like it should; when infected with Vapor, all the files on the PDA "disappear." When the infected file is executed, all application icons vanish as if deleted. It's a trick; the files still exist. In reality, the virus simply removes the icons from the display. It's similar to setting all files as Hidden on a desktop system.
Older handsets were relatively immune from airborne viruses because they lacked functionality. However, Internet-enabled smart phones are facile hosts for infection, as the Tokyo 911 virus, which attacked with an SMS message, illustrates. A potential vulnerability of SMS is that it allows a handset to receive or submit a short message at any time, independent of whether a voice or data call is in progress. If the handset is unavailable, the message is stored on the central server. The server retries the handset until it can deliver the message. In fact, there are desktop tools that script-kiddies use for SMS bombing . The principle of this tool, when coupled with the power of a replicating virus, could potentially result in wide-scale denial-of-service attacks.
Another example of such an SMS-flooding virus occurred in Scandinavia. When a user received the short message, the virus locked out the handset buttons . This effectively became a denial-of-service attack against the entire system.
Similarly, a Norway-based WAP service developer known as Web2WAP found another example of malicious code while testing its software on Nokia phones. During the testing, they found that a certain SMS was freezing phones that received it. The code knocked out the keypad for up to a minute after the SMS was received. This incident is similar to format attacks that cause crashes or denial-of-service attacks against Internet servers.
17.8.1 Embedded Malware Countermeasures
Starting in the summer of 2003, all Dell handheld devices began shipping with an embedded version of McAfee Antivirus. Although it was unclear which Windows CE viruses Dell and McAfee were trying to protect against (since none existed at that time), other companies scrambled to compete . For example, soon after McAfee became standard on all Dell PDAs, Symantec released a beta version of their antivirus tool for Windows Mobile/Pocket PC. There are currently several virus scanners for Windows CE.
Rather than simply installing a commercial CE virus scanner, however, we recommend that you get under the hood and start dissecting embedded binaries yourself. In Chapter 4 we explained the steps for reverse engineering Windows CE applications. In addition, you can download special tools for debugging viruses and Trojans on Windows CE. For example, Airscanner Mobile AntiVirus Pro (shown in Figure 17-3) is free for personal use and has an array of advanced features for dissecting malware on your mobile device. It is available for you to download from http://www.airscanner.com.
Figure 17-3. Using the free Airscanner Mobile AntiVirus Pro to debug Trojan and virus infections on Windows CE
|< Day Day Up >|