03-01-2006, 06:00 PM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
First PC/Pocket PC Cross-Platform Trojan Discovered
"The Mobile Malware Researchers Association (MARA) today announced that it has characterized the first malware to cross-infect a handheld phone or PDA from a binary on the desktop PC. The malware, a Trojan dubbed �crossover�, spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld. Detailed analysis and the malware binary are available to antivirus companies and security experts who qualify for MARA membership, which is free."
This is just a proof-of-concept, so don't run for the hills yet... but the true long-term threats are starting to become clearer. To me, the idea of cross-platform malware is a significant next-generation threat, especially as our handheld devices gain faster network connections. While this trojan can't copy itself back to your PC, one could easily envision a virus that sits on your Pocket PC and collects sensitive data even after new AV definitions on your desktop are released and inoculate the PC. Does this mean we'll eventually need virus scanners on every Pocket PC? Probably. :? However, I think we're still in the watch-and-wait phase for a while longer.
|
| |
|
|
|
03-01-2006, 07:00 PM
|
|
Magi
Join Date: Sep 2005
Posts: 2,341
|
|
Somehow I find this all just a bit too sleezy for my liking. Here we have the organization and developers for antivirus applications actually developing the viruses. To me "proof of concept" in real terms means here's how to do it guys, go and do it....so that we can increase our sales of antivirus software.
There are no viruses for Windows Mobile devices YET so the companies selling the antivirus software feel they need to create a need for their product. How sleezy is that?! We had a very similar happening a few months back where another "proof of concept" was released by two antivirus software developers.
It's all very unfortunate because sooner or later their efforts will succeed and we will be forced to buy their products. Personally I'll do a a lot of hard resets before I give these guys my money, though.
Dave
|
| |
|
|
|
03-01-2006, 11:38 PM
|
|
Intellectual
Join Date: May 2006
Posts: 237
|
|
O Jeesh, I hope we don't have to run virus scanners on our devices -- wouldn't that make things intolerably slow?
|
| |
|
|
|
03-02-2006, 12:27 AM
|
|
Pontificator
Join Date: Aug 2006
Posts: 1,202
|
|
Quote:
|
Originally Posted by Paragon
It's all very unfortunate because sooner or later their efforts will succeed and we will be forced to buy their products. Personally I'll do a a lot of hard resets before I give these guys my money, though.
Dave
|
:rock on dude!: :rock on dude!:
What he said!
You nailed it. It is not just a little sleazy, it's a lot sleazy IMO.
|
| |
|
|
|
03-02-2006, 12:39 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Paragon
Somehow I find this all just a bit too sleezy for my liking. Here we have the organization and developers for antivirus applications actually developing the viruses. To me "proof of concept" in real terms means here's how to do it guys, go and do it....so that we can increase our sales of antivirus software.
|
Not so fast. Check out their newest post. They don't freely release this proof-of-concept, and really are more researchers than salespeople -- there's nothing for sale on the MARA site.
Quote:
|
There are no viruses for Windows Mobile devices YET so the companies selling the antivirus software feel they need to create a need for their product. How sleezy is that?!
|
There are two theories about this:
1. Researchers need to "think" like virus writers and predict what will happen, otherwise it'll happen and we won't be prepared;
2. Researchers are commiting a disservice, and should only reactively address threats.
Network security is an integral part of my PhD research, and from my experience, I strongly believe #1 is a much better position. We're seeing new behavior from attackers all the time, especially with the raise of organized computer crime, and we need to be much more proactive than we are now.
And why don't you blame the software vendors that build tools that are so easily susceptible to such threats? Microsoft's finally added code signing in WM5, but it's only the first step. Fortunately, it does seem MS does have a strategy going forward.
--janak
|
| |
|
|
|
03-02-2006, 01:14 AM
|
|
Magi
Join Date: Sep 2005
Posts: 2,341
|
|
Quote:
|
Originally Posted by Janak Parekh
1. Researchers need to "think" like virus writers and predict what will happen, otherwise it'll happen and we won't be prepared;
|
I think there is a big difference between "thinking" like virus writers and being a virus writer. To me producing a proof of concept and making it available to their members doing much more than "thinking" like a virus writer.....if it looks like one, and smells like one...then it must be one.  
Quote:
|
Originally Posted by Janak Parekh
2. Researchers are commiting a disservice, and should only reactively address threats.
|
I think in creating threats under the pretense of just showing it can be done, then releasing the code is doing much more than being ready for the threat. I think it is CAUSING the threat.
Quote:
|
Originally Posted by Janak Parekh
Network security is an integral part of my PhD research, and from my experience, I strongly believe #1 is a much better position. We're seeing new behavior from attackers all the time, especially with the raise of organized computer crime, and we need to be much more proactive than we are now.
|
I agree Janak, but they aren't attempting to be ready for the threat. They are causing the threat.
Quote:
|
Originally Posted by Janak Parekh
And why don't you blame the software vendors that build tools that are so easily susceptible to such threats? Microsoft's finally added code signing in WM5, but it's only the first step. Fortunately, it does seem MS does have a strategy going forward.
|
Very good point. I think you are a lot more qualified to speak to this than I am. I don't have near the knowledge you do in this area.
Dave
|
| |
|
|
|
03-02-2006, 02:00 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Paragon
I think there is a big difference between "thinking" like virus writers and being a virus writer. To me producing a proof of concept and making it available to their members doing much more than "thinking" like a virus writer.....if it looks like one, and smells like one...then it must be one. |
Again, this is where research thinks differently. In academia, the general principle is to "publish" your work to prove that it is indeed novel and different. If you survey the top security conferences every year, exploits are routinely discussed and dissected. For example, one of the most classic papers of the last 5 years is entitled How to 0wn the Internet in Your Spare Time, and while Staniford et. al. don't actually release code in the paper, they outline the key principles needed to do a significant DDoS of the Internet. Talking at this level of detail is what has led to people starting to develop defenses.
Now, release policies for proof-of-concepts (e.g., code) is an interesting side question. To me, creating one is a significant step in demonstrating the feasibility of an technique or exploit. As to distribution, we may disagree as to who and when one should release a proof-of-concept... but, as an alternative, what should people do? Take these guys' word that the proof-of-concept works? One way security vendors build defenses is to actually have specially designed vulnerable machine(s) and launch (or advertise it for) attacks against it to observe the damage. Proof-of-concepts can be useful in this phase.
Quote:
|
I agree Janak, but they aren't attempting to be ready for the threat. They are causing the threat.
|
That's because the solution isn't so obvious. It needs serious thought and design.
I guess my point is I understand your concern, but there are legitimate reasons for creating such proof-of-concepts. I also think, based on MARA's recent response, that they are trying to be responsible about it. There have been a lot of examples where security "researchers" just publish exploit code out on the 'Net, and that is more questionable ethically IMHO.
--janak
|
| |
|
|
|
03-02-2006, 02:50 AM
|
|
Magi
Join Date: Sep 2005
Posts: 2,341
|
|
I think for the most part our differences in opinion are that my view is from more of a consumer standpoint and yours is based on more knowledge of the actual process. I think however that is all overshadowed by the fact that the process you discuss is from a desktop perspective where there are very real threats now, while for Windows Mobile the threats just aren't there, so any attempts to produce proof of concept threats are unnecessary and have a much more negative effect. Since there are no threats, sales of antivirus applications are a hard sell. If you create and publicly announce these proof of concept viruses it produces a fear in the minds of many end users who then feel they must have an antivirus solution. I personally really dislike that course of action. As I said earlier, I find it sleezy, regardless of how they try to disguise it.
Dave
|
| |
|
|
|
03-02-2006, 06:15 AM
|
|
Editor Emeritus
Join Date: Aug 2006
Posts: 15,171
|
|
Quote:
|
Originally Posted by Paragon
I think however that is all overshadowed by the fact that the process you discuss is from a desktop perspective where there are very real threats now, while for Windows Mobile the threats just aren't there, so any attempts to produce proof of concept threats are unnecessary and have a much more negative effect.
|
Well, I can't disagree more. Hackers have targeted desktops because that's the most prevalent. As wireless devices become more popular, they'll be targeted as well. Witness the rash of Symbian worms that were released last year.
Mind you, I'm not defending the antivirus companies; I don't want antivirus software on my Pocket PC either. But that shouldn't mean we sit on our hands waiting for the threat to become real.
--janak
|
| |
|
|
|
03-02-2006, 08:18 AM
|
|
Neophyte
Join Date: Feb 2006
Posts: 8
|
|
Quote:
|
Originally Posted by Janak Parekh
much more negative
Well, I can't disagree more. Hackers have targeted desktops because that's the most prevalent. As wireless devices become more popular, they'll be targeted as well. Witness the rash of Symbian worms that were released last year.
Mind you, I'm not defending the antivirus companies; I don't want antivirus software on my Pocket PC either. But that shouldn't mean we sit on our hands waiting for the threat to become real. |
I agree. Again, its a proof of concept, just a warning, but a urgent warning, nevertheless. I hope MS thinks so too and works to patch holes in ALL WM devices,if there are any. Humans aren't and neither is their software. I see a dark future in which we must run anti-virus on our devices. I just hope AVG Free is available for WM in that time  .
|
| |
|
|
|
|
|
Linear Mode
