Introducing the First Virus for Windows Mobile Pocket PC

Dallas, TX: Mobile security researchers at Airscanner Corp. today announced that a malware writer from 29A labs has released the first ever virus to infect the Windows Mobile Pocket PC platform. Airscanner Corp. has provided a fix and has released a preliminary analysis, which is provided below.

The Problem: WinCE_Dust infects all programs in the root directory of the Pocket PC device.

The Fix: Users should use online update to update their Airscanner Mobile Antivirus software to the latest DAT signature file version.

Free Software: The full version of Airscanner Mobile Antivirus is free for personal use (corporate use requires a license). The unlimited, full version may be downloaded for free at the following URL:

http://airscanner.com/downloads/av/av.html

Background

The Windows Mobile operating system is heir apparent to the Microsoft dynasty. Microsoft knows the desktop and server OS market is saturated. There is no room for growth. And even as we speak, Linux erodes its market share. How can Microsoft save itself?

Enter Windows Mobile. Also known as Windows CE, this tiny, embedded platform is the basis for Smartphone and Pocket PC devices, among others. It can potentially run Internet Explorer, Outlook and Word on every PDA and cellphone – and it even controls watches, exercise bikes and refrigerators. Microsoft especially wants to dominate the mobile phone OS market. With hundreds of millions of OEM licenses already up for grabs, and billions of dollars at stake, Microsoft knows that embedded devices are key to its future success.

But there is a problem. Security is the biggest threat to Microsoft’s survival. With its Trustworthy Computing initiative splintering under the pressure of weekly vulnerabilities, Microsoft would surely protect its most favored offspring. Right?

Wrong. Microsoft left its golden child naked and shivering. Windows Mobile has almost no security architecture whatsoever. It is wide open to attackers; in fact, Microsoft itself admits that it is “only a matter of time” before its Smartphone platform is infected with wireless, “airborne” computer viruses.

Airscanner Corp. recently released a detailed technical analysis of the first ever native Trojan to infect Windows CE. And as of today, Airscanner Corp. is releasing a detailed analysis of (and fix for) the first ever Windows CE virus.

To their credit, Microsoft otherwise designed a remarkable, embedded OS. Windows CE is a stable, efficient, truly multitasking OS offering nothing less than a full, miniaturized version of Windows 2000. In short, it is a masterpiece. Unfortunately, Windows CE was designed without security. Worse, handheld devices are now the easiest backdoor into a corporate network.

Brief Analysis
WinCE4.Dust is the first known Windows CE virus to run on ARM based devices running Windows Mobile Pocket PC. It was released to our antivirus researchers today by its author, Ratter, of the virus-writing group known as 29a. (“29a” is the hex equivalent of the number “666”). This is a live, working proof of concept virus that infects all .EXE files in the root directory of the Pocket PC device.

WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.

There are several safety features built into the virus to help prevent it from spreading in the wild. First, when executed, the virus asks the user if it is allowed to spread. Only if the user grants permission will it infect other files. Second, the virus only infects .exe files located in the root directory of the Pocket PC device. All other .exe files on the PDA are safe from infection.

When a user executes the file, she will be shown a dialog box with the following text “Dear User, am I allowed to spread?”.

At this point the virus will systematically infect all non-infected .exe files located in the root directory of the PDA. It is careful to skip the currently executing infected file and will also not re-infect previously infected files.

Details

At approximately 4:45 PM EST on July 16, 2004 today, Airscanner Corp. received an email from an individual named Ratter/29A who was previously unknown to us. Attached to the email, along with a brief explanation, was a file named Dust.zip. When extracted, this file contained three executable files; PocketIRC.exe(150kb), TRE.exe(149kb), and wince_dust.exe (2kb). Both PocketIRC.exe and TRE.exe are samples of infected executables, while wince_dust.exe is a sample of the virus code only (i.e., the parent virus). This virus was released to relevant parties as proof of concept and was created to demonstrate that a virus could be written for the Pocket PC environment.

Definition
WinCE4.Dust is an example of a classic virus, but it has overcome technical obstacles to become the first virus to infect Windows CE. It only infects existing .exe files already located in the root directory of the PDA. The virus does not spread via networking function or operate as a memory resident process. Due to its method of self-replication (recursively appending itself to every file in the directory), and because of how it spreads (requires an initial user action to spread), WinCE4.Dust meets all the criteria for a computer virus.

Risk
This is a low-risk virus. It was created with the sole intent of serving as a proof of concept program to demonstrate the possibility of viral activity on the Windows CE platform. In fact, hidden in the binary, the author gives this humorous message, “This is proof of concept code. Also, I wanted to make avers [antivirus resesarchers] happy. The situation when Pocket PC antiviruses detect only EICAR file [a harmless, standardized test file] had to end.”

The risk is low because the virus requires a user to permit it to spread to other files. In addition, the infection process only targets files located in the root directory of the PDA, which limits the number of potentially infected programs.

When executed, the virus only scans for and infects other non-infected .exe files in the root folder. It will skip any file that has already been infected (marked within the file by the tag line “atar”.) It does not damage the PDA or any other file on the device. Due to this, WinCE4.Dust is not a serious threat to infected PDAs, with the exception of its potential to energize the mobile virus writing community. It is remarkable in that it demonstrates the first working method by which a virus can infect files on a Windows Mobile device.

Note, however, that in the lab we were able to easily bypass these protection checks by making small changes to the virus binary. There is nothing to prevent malicious users from doing the same and repackaging this malware as a Trojan.

Virus Embedded Comments
If an infected file is viewed with a hex editor, the following messages appear near the end of the file:

“This code arose from the dust of Permutation City”

“This is proof of concept code. Also, i wanted to make avers happy.The situation where Pocket PC antiviruses detect only EICAR file had to end -¦”

Execution Process
When the virus is executed, either via an infected executable or via wince_dust.exe, it first scans the root directory of the target Pocket PC for all *.exe files. It then displays the following message (see figure 1):

Title: “WinCE4.Dust by Ratter/29A”

Dialog: “Dear User, am I allowed to spread?”

If the user selects “No” a condition flag is set in the process that forces the virus code to calculate the infected program’s real start address, which is then executed.

If the user selects “Yes”, the virus systematically works through the list of .exe files in the directory. It first determines if the listed .exe file is the currently executed program, and then makes sure the target .exe is not already infected. If the file has been infected, it will be marked with the word “atar” at the offset 0x11C. This is used during the infection process to see if the file was already infected. Without this check, the virus would keep re-infecting files over and over until the device ran out of memory.

If the target .exe passes the checks, the viral code is appended to the target file, which increases the file size by 1536 bytes. Finally, the PE header is altered to point the processor to the newly appended virus code when the infected file is executed.

Once the virus code has determined there are no more uninfected .exe files, it calculates the correct starting address for the executing file and redirects the process to this point. The infected program then operates as normal.

Disinfection and Detection
Airscanner Mobile Antivirus has an active detection component known as Active Guard (AG). AG acts like a host-based intrusion detection program (e.g., like a Tripwire for the Pocket PC). AG will detect any infection process during execution of the virus and will alert the user via a popup dialog window. Airscanner has also extracted a virus signature that will detect all infected files. In order to delete or quarantine the infected files, the user must first soft reset the device.

Independent user detection of this virus is difficult because the virus only infects existing .exe files. It does not create new files or alter registry settings. As a result, the only way a user will know if he is infected is if he notices a subtle change in file size, which is unlikely.

Acknowledgements:

Virus analysis by Cyrus Peikari, M.D. and Seth Fogie of Airscanner Corp. Thanks to Ratter of 29A for providing the virus sample.