<a href="http://pcworld.idg.com.au/index.php?id=18682489&amp;fp=2&amp;fpid=1">http://pcworld.idg.com.au/index.php?id=18682489&amp;fp=2&amp;fpid=1</a><br /><br />Symantec and other antivirus companies are betting it is. "Symantec will introduce this week Symantec AntiVirus for Handhelds, mobile device-residing software designed to detect malicious code for the Palm and Pocket PC platforms. Despite little evidence that viruses severely affect handheld devices, security vendors want to ensure on-demand AV (anti-virus) infrastructure protection if an outbreak occurs."<br /><br />For now, I think PDAs have a bit of security by obscurity. Also, because the applications on the Pocket PC don't offer scripting capabilities, someone is going to have to actually have to sit down and write a full blown application to pull email addresses from your contact database, and whatever they do on that front won't work on PalmOS.<br /><br /><img src="http://www.pocketpcthoughts.com/images/hansberry/2003/20030825-biohazard.gif" /><br /><br />One area of concern I do have is an MSBlaster type attack. We've learned that to be a target for that type of attack, you need to do two things. 1) Turn your PC on. 2) Go online. Nothing else. You can be infected by that worm on a broadband/LAN connection before you even log in. I have no clue what ports on my Pocket PC are open. :? I don't know how widespread an attack could get with online Pocket PCs, especially those on a high speed WiFi connection. I do know that since the MSBlaster attack a few weeks ago, when I am online with my iPAQ over a GPRS connection and it slows down to a crawl, I wonder, is my bandwidth being taken up with a worm slithering its way into my Pocket PC, or is it just another GPRS slowdown? 8O

I've never had a problem with a PPC virus per se but a month ago I have a PC virus that I couldn't seem to get rid of because I think the PPC was harboring it and I would get it off my PC but when I synced, the virus would show up again and the virus scanner always detected corrupted files in my PPC software and E740's documents folder on my desktop.

Sorry can't remember the name of the virus now but it created a copy of every .exe file on my computer---really annoying and took up an extra 4Gigs until I manually deleted them.

Here here...I second's Ed's thoughts. Since last week, I've been wondering what ports the Pocket PC has open, or if the Pocket PC even uses traditional ports? Anyone who knows be willing to reply?

-Brian

To answer your question: port 139 (NETBIOS) is wide open on any WINCE device. Fortunately it looks like the mobile phone providers have some kind of NAT/firewall to protect mobile devices. At least that is the case with my provider. When I log in via gprs all my ports are closed - do I log in via modem and landline I get the message that my port 135 is wide open. Anybody can easily check for themselves: https://www.grc.com/x/ne.dll?bh0bkyd2 is the fantastic Shields up! website which can probe your ports and a few things more.

Oliver

Phoenix Technologies Ltd, which says it provides BIOS software for 70% to 80% of the world's PCs, is to offer PC makers the ability to put Network Associates Inc's McAfee VirusScan Online software in their PCs below the operating system level.
Maybe PPC manufacturers will follow the lead of Phoenix and build something into the hardware to combat the future problems.

http://investor.phoenix.com/en/about+phoenix/investors/news+releases/ReleaseDetail.cfm?ReleaseID=116659&Year=2003

Does anybody know if they will release this product from "home" users as well. In looking at their web page, they are only releasing a corporate edition.

I can count the number of PPC viruses that actually pose a threat on less than one hand. This is just feeding off of people's fears. Funny what using Windows all these years will do to people: make them really paranoid to viruses. Symantec constantly makes some announcement about protection of mobile devices, just to raise fears again.

By the way, don't put ALL your faith in Steve Gibson/ShieldsUp! He has a tendancy to overblow EVERYTHING he runs into, and is quite full of himself to boot.

fwiw, there's also at least a firewall or two available for Pocket PCs (one here (http://www.bluefiresecurity.com/mobile_firewall.htm)).

By the way, don't put ALL your faith in Steve Gibson/ShieldsUp! He has a tendancy to overblow EVERYTHING he runs into, and is quite full of himself to boot.

Hee hee... Too true!

I thought MSblast only infected Windows XPs and Windows 2003.

I thought MSblast only infected Windows XPs and Windows 2003.
Correct.

Read what I said though. One area of concern I do have is an MSBlaster type attack. :D

I thought MSblast only infected Windows XPs and Windows 2003.
Correct.
Not correct. Don't forget about Windows NT or 2k.

Basically, the question is if there are services on a Pocket PC that are exploitable remotely without any user interaction. I seriously doubt it, as said services would require memory, and the operating system is geared to keep that to a minimum (for example, I'd be shocked if there was an RPC portmapper on the Pocket PC). However, there's a possibility that the kernel or critical services themselves export some minimal functionality over the IP stack...

Has anyone done a complete portscan of a Pocket PC (not just Gibson's mini-scans)? It's an interesting idea, and I'll have to give it a shot.

--janak

Oh great. Need to allocate memory and processing power for those antivirus on PPCs as well. :evil:

I was talking about this same topic with a friend of mine (a hardcore programmer and a data center manager), and let me quote his words : Virus programmers are uber geeks, surely they know that PPC owners are their fellow geeks. If they want to make virus, it will be for Palm OS.

:rotfl:

Has anyone done a complete portscan of a Pocket PC (not just Gibson's mini-scans)? It's an interesting idea, and I'll have to give it a shot.


I'm actually planning on that tonight. I'll do it right now.

I thought MSblast only infected Windows XPs and Windows 2003.
Correct.
Not correct. Don't forget about Windows NT or 2k.Oops. I see XP, 2K, NT4 and I just think NT. NT 3.5x and 3.1 likely have this bug too but there is no patch. I doubt the worm targets them so when infected, it fails. I wonder if anyone is still running NT 3.X on the internet?

I wonder if anyone is still running NT 3.X on the internet?
I bet there is, but probably in the hundreds or so, and probably firewalled -- "legacy" Windows NT systems.

--janak

Nmap wasn't seem to be working on me when I put my iPaq on the DMZ, and it also turned off for 20 seconds, but it seemed to report all ports as closed (NOT stealth) on a freshly booted system with a WiFi CF card in it.

Nmap wasn't seem to be working on me when I put my iPaq on the DMZ, and it also turned off for 20 seconds, but it seemed to report all ports as closed (NOT stealth) on a freshly booted system with a WiFi CF card in it.
Interesting. Oliver did report that port 139 is open on Pocket PCs, though, so I'm confused. I'd do an nmap on a completely public IP space right now, but I don't have a WiFi-capable Pocket PC handy at this very second. One of my coworkers does, though, and I'll run it on his 3970 if I can.

--janak

I don't see why it'd be open. NetBIOS handles mostly file serving IIRC. It may have a part in accessing shared resources though, I can't be too sure. I'll have to play with nmap more tomorrow.

Not correct. Don't forget about Windows NT or 2k.
[uber-pedantic]The correct word is "pedant (http://m-w.com/cgi-bin/dictionary?pedant)" (noun) or "pedantic (http://m-w.com/cgi-bin/dictionary?pedantic)" (adjective). A pendant is something you wear around your neck.[/uber-pendantic] :lol:

Steve (a pedant if ever there was one, apparently)

"pedant (http://m-w.com/cgi-bin/dictionary?pedant)" (noun)
Aieee! I've totally lost my control over English. Sigh. :? (And, yes, I bow down to your pedantry.)

--janak

Aieee! I've totally lost my control over English. Sigh. :?

--janak

y0u t|-|||\||&lt; y0u'\/e 705+ c0|\|-R07 0\/eR e|\|g7154?


:mrgreen:

(And yes, that took me an extremely long time to write out. ;))

y0u t|-|||\||&lt; y0u'\/e 705+ c0|\|-R07 0\/eR e|\|g7154?

(And yes, that took me an extremely long time to write out. ;))

Gee, and it will only take me about 1 second to delete it... :wink:

Steve

Nmap wasn't seem to be working on me when I put my iPaq on the DMZ, and it also turned off for 20 seconds, but it seemed to report all ports as closed (NOT stealth) on a freshly booted system with a WiFi CF card in it.

Well I just read this news today (Tuesday), and it became interest to me.
I have my IPAQ 3970 connect by BT to my PC.

NET ID: 192.168.0.0/24
PC ID: 192.168.0.1

I connect my Ipaq to my LAN by BT with Network Access. Then I browse files of my PC with IPAQ, and then make netstat to see what IPs/ports are in use, and get this:

TCP "myPC":netbios-ssn 192.168.0.91:1122 ESTABLISHED

Then try to scan my IPAQ @ 192.168.0.91 with nmap... but same as you, cant... I hope tomorrow I can get any idea of port open at my IPAQ :P

I connect my Ipaq to my LAN by BT with Network Access. Then I browse files of my PC with IPAQ, and then make netstat to see what IPs/ports are in use, and get this:
Well, of course -- the iPAQ has established an outgoing connection on port 139 to the PC. However, this doesn't mean the iPAQ is listening on that port -- it doesn't need to for outgoing connections -- and I don't believe NetBIOS uses ephemeral ports.

--janak

Forgive my ignorance, but what causes ActiveSync to fire up (on the PPC side) when you plug your PPC into it's crade? Is ActiveSync always running on your PPC device, listening for some event? I wonder if something like this could be exploitable?

- Aaron

Forgive my ignorance, but what causes ActiveSync to fire up (on the PPC side) when you plug your PPC into it's crade? Is ActiveSync always running on your PPC device, listening for some event? I wonder if something like this could be exploitable?

- Aaron

I'd always assumed that it was a hardware interrupt generated by ActiveSync on the PC (which is always running) sending a signal to the PPC which loads the PPC's ActiveSync app if it's not already running. All the wireless (WiFi or Bluetooth) ActiveSync connections I've seen are initiated from the PPC. If not, the PPC would be wide-open to all sorts of potential attacks plus the battery would run down even faster than it does already!!!

Phil

I'm pretty sure AS is always running as a service in the Pocket PC. The ActiveSync shortcut is just launching the UI.