- Dampig trojan: Notable in that it corrupts the system uninstallation settings, making it more difficult to remove
- Mabir virus: Similar to Cabir, but instead of Bluetooth it uses SMS to spread
- Commwarrior: also tries to disable the onboard antivirus software
- Frontal virus: causes a total system crash of the phone until it is removed
Conversely, the most recent type of malware does the opposite: it now cross-infects mobile devices from a PC. The first example of such malware, and the subject of this article, is a Trojan dubbed “crossover”, which spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.
When executed from Win32, the Trojan checks what version the current OS is; if it is not Windows CE or Windows Mobile, the virus makes a copy of itself and puts a startup command in the registry key of local-machine-current-version-run. The trojan then quietly waits for an activesync connection to be detected; it can wait indefinitely. When an Active Sync connection is detected, the trojan automatically copies itself to the handheld device and remotely executes the trojan. The handheld device is now infected. The Trojan will then begin to delete documents on the handheld.
Unlike the Dust virus, Crossover does not require a complex exploit in the host operating system in order to succeed. Nevertheless, it is a significant step forward in mobile malware evolution. It also raises the question: using the OpenNETCF library and the Microsoft CF library, will it be this easy for virus writers to continue to port the 100,000+ examples of PC malware to Smartphones and PDAs?
Windows Mobile devices contain a little-known autorun feature that can provide an attacker with a quick and easy method of infection. When a media card is inserted into the PDA, Windows Mobile will copy over the autorun.exe (if it exists), create a copy in the /Windows directory, and execute it. WM5 does question the user if the application can be launched, but previous version of WM and Pocket PC do not. The file remains on the PDA until the media card is removed. A user can prevent this by creating a read-only dummy executable called autorun.exe and put it in the /Windows folder.
Voice Over IP
9. Multiple VoIP attacks
Voice over IP (VoIP) is available on many of the portable handheld devices on the market via natively installed software or third party add-ons. The flexibility and low costs of VoIP makes it an extremely attractive feature. A user can often locate an open wireless network and use VoIP instead of their cell phone service, which may not even provide coverage in the local area. However, there are numerous problems with VoIP that can create an unstable and insecure environment for users.
VoIP is mostly sent in an unencrypted format. As a result, anyone can see the connection information and capture/record the conversation. Programs like VoMiT and Cain & Abel can easily capture and record conversations. Other programs like sipbomber can kick a user offline. In addition, SiVus (a VoIP scanner) can quickly locate VoIP enabled systems (phones or servers), and scan them for vulnerabilities that can cause overflows or DoS attacks.