<div class='os_post_top_link'><a href='http://www.f-secure.com/v-descs/dtus.shtml' target='_blank'>http://www.f-secure.com/v-descs/dtus.shtml</a><br /><br /></div>It was only a matter of time before this was going to happen -- an EXE on Windows CE that is capable of infecting other EXE files on the same unit. It's called "WinCE4.Dust", and it's clear it's proof-of-concept, as it prompts the user before actually infecting other executables:<br /><br /><img src="http://www.pocketpcthoughts.com/images/web/2003/parekh-20040717-CEDust.jpg" /><br /><br />In any case, it's worth pointing out several things: first, it's not at all surprising this is possible -- CE is a general-purpose OS, and as such can run any programs, including those that modify others. Second, it (or even newer viruses) are unlikely to spread very far, because people don't frequently exchange data or executables between Pocket PCs and because Pocket PCs don't have the market penetration that desktops do. Macro viruses are less likely to occur, thanks to the fact that Pocket Word doesn't have any macro support. ;)<br /><br />That said, you will eventually have to become more careful as to installing programs on your device. I don't plan to install antivirus protection any time in the future, but I do plan to be careful as to my sources of CE programs. :)

Another important step toward handhelds being a complete replacement for desktop machines!

:splat:

I am unclear as to what exactly this virus does. What does the infection do? What undesired operations does it cause?

I am unclear as to what exactly this virus does. What does the infection do? What undesired operations does it cause?
I think it's only goal is to prove that it can "infect" other EXE files. Theoretically, a virus writer could use such an infection vector to cause a virus to spread to infect all EXEs on a system. That said, since EXEs are not spread frequently between Pocket PCs, it's unclear what benefit it would have beyond that one machine. For a change, the fact that most Pocket PC apps are not beamable is a big plus.

--janak

Some-one else has commented on the incestuous relationship between virus writers and the anti-virus people. Here we are on a new platform, and the first place a new virus shows up is with an anti-virus company.

If these people really had our interest at heart they would develop a security layer for win CE that prevents the modification of executables and allows one to give permissions to programs. Instead they go down the whole signatures and eternal annual subscriptions route.

They dont want to help us, only to make money. They are now publicising this proof of concept virus to teach others how to make better ones and spread fear.

Shame on them.

Surur

If only all virii popped up a pleasant message asking for permission to multiply...

"That said, you will eventually have to become more careful as to installing programs on your device. I don't plan to install antivirus protection any time in the future, but I do plan to be careful as to my sources of CE programs"

I totally disagree with this mentality. we should not be forced to limit our sources because of this threat. Just like on the PC, we install virus protection and so we should on our PPC as well if installing via other methods than activesync.

Well, THIS really blows...

I won't be installing AV software any time soon either... its too easy to hard reset and rebuild my device... I've got things synchronized and backed up my whaaa-zoo, too...

we should not be forced to limit our sources because of this threat. Just like on the PC, we install virus protection and so we should on our PPC as well if installing via other methods than activesync.

Well, surely it pays to be safe? I won't be installing any AV software on my PPC either - I have more useful things to do with the clock cycles.

I totally disagree with this mentality. we should not be forced to limit our sources because of this threat. Just like on the PC, we install virus protection and so we should on our PPC as well if installing via other methods than activesync.
Well, you're free to pick a strategy you prefer. :) Given the relative rarity of viruses on Pocket PCs, and the lack of their utility, I don't think they're a sufficient problem to merit installing an AV tool which will almost certainly slow down the Pocket PC. Compare that to PCs, where things like macro viruses force my hand even if I'm picky about the EXEs I run.

I generally am picky about my software sources, anyway. I've installed buggy software that's made my Pocket PC unstable... so I'm basically following the same strategy I've always done, just a bit more carefully.

--janak

I'm a bit puzzled too. When Chris De Herrera posted this news release on CEWindows last night I commented there that it seemed rather irrelevant, as this thing not only affects only EXE files, but apparently (according to the AirScanner quote) only affects EXE files in the PPC root directory. How many applications install an EXE to the root? Old versions of PocketDivX, if I recall... an ancient version of SpreadCE maybe... One or two older versions of Cambridge Tools' internet resource applications... just not very many. I think maybe an early beta of Pocket Quake too, but none of the later versions.

So forgetting about the stupid limitations, probably related to the OS limitations on line breaks in the paths to places like \Program Files (which can make replacing the native Inbox system-wide with something like nPOP a bloody nightmare of registry hacking!), let's allow that this is indeed a proof of concept 'virus'... or should we? As has been mentioned, where's the spreadability? I have, rarely, beamed a standalone EXE to another PPC user. I have slightly more often beamed or emailed a CAB file, strictly freeware or trial versions mind you. When I have, these have always, 100% of the time, been things which I have tried and which have worked just fine. Why the hell would I beam someone a program which would disable EXE files? Come to think of it, how could I?? I mean, the beaming application itself is based on an EXE. Won't launch without it. Same goes for any third-party infrared beaming such as TotalCommander's great (and much faster than IrDA) OBEX beaming or Resco's version, or Larry's IrDAsh. They all need a working EXE in order to transport to another device, whether it's by infrared or by email or by FTP or WLAN or whatever. An infected device is a crippled device, if I'm understanding this correctly. No danger there, as it couldn't 'talk' to anyone else!

So where might greater dangers lie? In download links, that's where. I don't know when AirScanner's book is coming out, as they've not advised me of that yet, but I wrote them a chapter this spring on a little bag of tricks I cooked up involving something at least as scary as this EXE scare. I wonder when they'll announce it, if they plan to. It's easy enough to make a CAB file which will make all data in RAM - not just executable programs, but all files and databases - utterly inaccessible once executed. Since the PPC platform has been mandated by Microsoft as standardised (more or less) under the ARM processor, one-CAB-fits-all. Upload a malware CAB and anyone who downloads it in PIE and activates it, either manually or by letting the default 'launch on download' box stay checked, is doomed.

The key to data intactity (I hope that's a word, and if it's not it should be dammit) is in regular and thorough backups. No amount of trusting in a particular download source is sufficient, as kiddies are everywhere and hacking into everything. If they get a taste for PPC user blood, there will be no safe havens. Get Sprite Backup or Sunnysoft Backup (haven't used the latter, so I can't speak for its quality) and perform daily full backups to known-stable media. If you're going to download something and install it, make damned sure you make another fresh backup before you do. If your machine is primarily an amusement for you, not containing any thing irreplaceable, then worry not and just install whatever you like. But if you depend on it every day for data access you might not be able to replicate from other sources, backups are the only security these days.

As for this EXE thing or my little custom CAB files being 'viruses', doesn't the definition kind of hinge on self-spreading capability? Sorry to harp on this, but it would seem that the potential for spreading in either case is rather low. Significant to the affected users no doubt, but just not a global threat. Once a PPC virus can tap into Pocket Outlook, then we're talkin' virus.

let's allow that this is indeed a proof of concept 'virus'... or should we?
Unfortunately, the term "virus" has become overused. This link (http://www.google.com/search?sourceid=mozclient&ie=utf-8&oe=utf-8&q=define%3Avirus) gives you an idea of the amazing number of definitions of the word "virus" there are. In any case, the reason this is classified as a virus, instead of a worm, trojan, or other malware, is because it's capable of actually modifying/infecting other EXEs on the device. Now, this proof-of-concept may not do it well, but if others do it well, they'd modify it in such a way the EXE still runs but also makes sure to load the malicious code in memory at the same time. Your CAB concept would be a trojan horse -- it doesn't infect other programs per se, it just trashes them.

As for the implications, though, I agree largely with you.

--janak

I guess it must be comforting to see that even the aberant members of the global society have not been left behind by the rapid advancement of the handheld computing platforms. :wink:

Although I am a little curious that this is not an instance of a vendor creating his own market....

All that's really needed is one virus on a Warez site that puts the virus into ROM. Then you'd be talking serious damage.

Certainly this isn't surprising! What proof-of-concept? That you can write an .exe on WinCE that can alter other .exe's? Big deal. Any programmer could tell you off the top of their head that that's possible. The only thing that has ever kept PPCs from having viruses is that it wouldn't be entertaining enough. There aren't enough users out there to get big press coverage and the way we use PPCs make them a poor platform for propogation of the virus. Where's the fun in that? By comparison, any bozo can download a virus-making kit from the Net and, with a little imagination, come up with a ruse that will get people to execute the code. (Sex and greed are surefire winners for that.) This sounds all sensational and everything, but I really don't think it changes anything. Of course, you should be careful what you install on your PPC, but you're more likely to have your PPC screwed up by a poorly written application than by a virus.

Certainly this isn't surprising! What proof-of-concept? That you can write an .exe on WinCE that can alter other .exe's? Big deal.
I agree personally, but we received a ton of submissions, and it is, if nothing else, a way of pointing out Pocket PCs' increasing popularity. ;)

All that's really needed is one virus on a Warez site that puts the virus into ROM. Then you'd be talking serious damage.
Sure, but again, spreadability is in question. There have been viruses on the PC that have ruined the machine by flashing garbage into the ROM; I've replaced several clients' mainboards in the past.

--janak

I heard that this virus was made to prove to the PPC world that viruses can exist if people out there really wanted to make it. Apparently, the virus maker (known with the pseudonym Ratter) released the code to the antivirus experts first before releasing it out to the wild.

My source of information comes from here: http://news.com.com/2100-7349_3-5273168.html

Actually for those with connected devices (pocketpc phones specifically) these viruses are quite scary.

Everything that can be done traditionally to an internet connected pc can be done to a pocketpc. The virus could spread by e-mailing itself to all the contacts on your pocketpc as an attachment. It could cause you real financial damage by dialling premium rate numbers or connecting to GPRS and acting as a spam proxy. It could upload your flexwallet file, so some-one could hack the 10000 key combination at their leisure.

Actually thrashing your device is the least of the problems. You could always hard reset and start over. The above scenarios are much more scary.

Surur

I heard that this virus was made to prove to the PPC world that viruses can exist if people out there really wanted to make it.

and this is probably the lamest excuse for distributing a potentially damaging creation, possible. Some things do not require demonstration - for example: we do not sanction the development of new forms of smallpox just to prove its possible to create new deadly lifeforms. This virus was obviously created and disseminated as a threat, possibly as a form of extortion, and the international community should react to it and to its criminal creators and criminal distribution as we would to the creation and release of a virulent, deadly airborne human disease.

Actually for those with connected devices (pocketpc phones specifically) these viruses are quite scary.

Everything that can be done traditionally to an internet connected pc can be done to a pocketpc. The virus could spread by e-mailing itself to all the contacts on your pocketpc as an attachment.
And that wouldn't be remotely useful as a way to spread the virus. I'd estimate 99% of the people in my contacts don't use Pocket PCs. The one way is if it carried a Win32 binary as well. Still, the low bandwidth of Pocket PCs makes this insanely inefficient.

It could cause you real financial damage by dialling premium rate numbers or connecting to GPRS and acting as a spam proxy. It could upload your flexwallet file, so some-one could hack the 10000 key combination at their leisure.
But neither of these are unique to a virus. Any piece of malware could do this.

The above scenarios are much more scary.
I think the one scenario that would possibly scare me is if someone pioneers a way to get the infection to go back via an ActiveSync conduit. 8O

--janak

... but you're more likely to have your PPC screwed up by a poorly written application than by a virus.

Surprisingly, this one sentence make more sense than the rest of the page... sad, cuz this is exactly what happen to me couple days ago. A crash between 2 or more poorly written program hard reset my ppc... damn :?

Yeah, last week I had to do the first hard reset ever on my Dell X5 thanks to a freeware install. Of course, as usual I had a fresh backup to install, and was up and running in less than 5 minutes from the time of the problem. The program was called FSWatcher, a little Today plugin (supposedly, though I didn't get to see it work) which was supposed to log recent actions globally for reviewing later. Thought it might be interesting... and it was small...

I installed the thing, looked in Settings an elsewhere and could find nothing new, so I soft reset based on experience with a couple of other system plugins which don't reveal themselves until after a reset. Reset couldn't complete. I tried a bunch of times, but all it would load was a white screen with a 26pixel black band across the top. Useless. So I hard reset and sent off a letter to the developer asking him to look into this. Got back an autoresponder message apoligising for his absence, saying he'd be back from vacation by the 21st of July. I can't wait to hear his excuses. Actually I have no reason to expect less than an eagerly re-written version for me to test.

That comment about the PPC having limited bandwidth... that's odd. With my SparkLAN card there's no more a limitation on file sharing or whatever over a network than a PC might have. Tons of PPCs have built-in wireless cards or add-on cards, so this is a bit of a bogus argument.

That comment about the PPC having limited bandwidth... that's odd. With my SparkLAN card there's no more a limitation on file sharing or whatever over a network than a PC might have. Tons of PPCs have built-in wireless cards or add-on cards, so this is a bit of a bogus argument.
Actually, no, it isn't the same. As this article (http://www.pocketpcthoughts.com/forums/viewtopic.php?t=28202) showed, Pocket PCs don't have the same bandwidth as desktops do. That said, it's entirely possible that a WiFi-enabled Pocket PC can saturate a DSL connection... but unlike desktops, they're much more rarely left on and running, where worms/viruses can take their time. Compound the fact that they're running slower CPUs and, from a bottom-line perspective, worms/viruses simply have less aggregate bandwidth, and time, to spread.

--janak

What was the host application for this virii? Let me guess, Warez?

You honestly get what you pay for, and if I were the author of a coveted piece of software that might drive someone to crack it, I'd rather crack it myself and include a nice way to wipe out your system in the process... but that's just me.

I heard the author of Liberty for Palm did something similar, and created the first Palm OS virus in the process, of which was Norton Antivirus' only Palm entry.

Kudos to him.
:devilboy:

What was the host application for this virii? Let me guess, Warez?
I think this was just a handcrafted proof-of-concept.

I heard the author of Liberty for Palm did something similar, and created the first Palm OS virus in the process, of which was Norton Antivirus' only Palm entry.
Yep - that made headlines back in the day -- I believe it was a Trojan Horse. It's notable that few, if any, additional viruses/worms/trojans have been created for Palms to this day.

--janak

Well, I read that thread beginning to end... again. It refers to SD slot throughput rates, as relevant for users of SD-type wi-fi cards. A bit here and there touches on built-in wi-fi, and there is the odd person asking about CF wi-fi cards, but no one seems able to answer.

So I went to bandwidthplace.com and ran a test. I'm using a neighbour's wi-fi, just out at the limits of the range. Barely keeping a signal. It cuts out more than half the time. I usually just use my Socket dialup modem, until that lucky day when we get wi-fi at home.

Here's screenshots of my signal indicator, reading very weak around the time of the test, and a shot of the bandwidthplace results page in NetFront:

http://www.luthier.ca/other/forum/neighbours_wi-fi_connection.gif

http://www.luthier.ca/other/forum/bandwidthplace_wi-fi_speed.gif

Plainly slightly over 350, but considering my remoteness from the AP not too shabby.

Well, I read that thread beginning to end... again. It refers to SD slot throughput rates, as relevant for users of SD-type wi-fi cards. A bit here and there touches on built-in wi-fi, and there is the odd person asking about CF wi-fi cards, but no one seems able to answer.
I agree it was far from complete. However, reread my post. If you do a LAN test, it's highly unlikely that you're going to get ~ 5-6mbps, which is the maximum desktop performance for 802.11b. You will get circa 1-2mbps, which is enough to saturate most WAN connections. And I did mention other reasons why spread wouldn't occur, anyway. ;)

--janak

Yeah yeah, okay, I'll let ot drop. Guess I just reacted a bit to what seemed, a little, to be trashing PPC utility on the basis of limited bandwidth. A trojan or whatever can weigh in at less than 30KB, making the potential for spreading an infection in cases of a true virus rather significant given a wirelessly connected device. Perhaps a factor of ten less so than a connected PC, but that could still mean thousands per hour transferred to a large contacts list.

Yeah yeah, okay, I'll let ot drop. Guess I just reacted a bit to what seemed, a little, to be trashing PPC utility on the basis of limited bandwidth. A trojan or whatever can weigh in at less than 30KB, making the potential for spreading an infection in cases of a true virus rather significant given a wirelessly connected device. Perhaps a factor of ten less so than a connected PC, but that could still mean thousands per hour transferred to a large contacts list.
True - and I don't mean to trash the PPC's power... but rather the utility of targeting the Pocket PC, when desktop OSes have new vulnerabilities every day and are generally connected for longer periods of time.

--janak

I've got a copy of the new WinCE Dust virus and it works pretty good.
it's not a directory jumper or memory resident, no payload. But, it
seems to infect host files correctly and does work on the arm's devices
and even the 555x ipaq, which was the test device.

I don't know how many of you are into this sort of thing, but if you
would like a copy.. drop me a line. Don't ask where I got this from
because I cannot tell you. Just have friends..

Lorenzo
[email protected]

This is not the first time that I hear about this "proof-of-concept", around a month a go somebody found another virus too, on that time for phones.

I have a question.... if I created an EXE just with the Hard Reset code... could that be considered a "proof-of-concept" (god i like this frase - "proof-of-concept" :D) I my self believe that it should be considerer a virus, because so far these other "proof-of-concept" virus works in the same way... you have to copy the file, you have to execute the file to get infected. So... If I go with my EXE to Kazaa or eMule and place it there basically I'm creating the first PPC virus. ;)

This AV companies are trying to get sales just by scaring PPC users. Why they dont say the true which is that so far the PPC platform is a very unlikely field for virus because of the difficulties from the point of view of transmission that any virus will find in this platform.

So far from where I'm from this virus are called "trampas caza bobos" which translate as "Honey pots" :D

I have a question.... if I created an EXE just with the Hard Reset code... could that be considered a "proof-of-concept" (god i like this frase - "proof-of-concept" Very Happy) I my self believe that it should be considerer a virus, because so far these other "proof-of-concept" virus works in the same way..

We all remember what the latest generation of viruses to sweep the Windows XP world have done. So yes, I think what you're saying could be "proof of concept"! :wink:

I have a question.... if I created an EXE just with the Hard Reset code... could that be considered a "proof-of-concept" (god i like this frase - "proof-of-concept" Very Happy) I my self believe that it should be considerer a virus, because so far these other "proof-of-concept" virus works in the same way..

We all remember what the latest generation of viruses to sweep the Windows XP world have done. So yes, I think what you're saying could be "proof of concept"! :wink:

jajaja I got your point - "proof-of-concept"="stupidity" :D

I have a question.... if I created an EXE just with the Hard Reset code... could that be considered a "proof-of-concept" (god i like this frase - "proof-of-concept" :D) I my self believe that it should be considerer a virus, because so far these other "proof-of-concept" virus works in the same way...
No. That would be a "proof-of-concept trojan", not a virus. A virus infects other files, while a Trojan Horse, when "introduced" into your "city", wreaks immediate havoc without bothering to infect. Infecting without corrupting the other EXEs beyond recognition is a bit more work.

This AV companies are trying to get sales just by scaring PPC users.
Certainly possible, and I alluded to that in my posts.

So far from where I'm from this virus are called "trampas caza bobos" which translate as "Honey pots" :D
In the context of the security community (in which I do research), honeypots are a completely different concept. They're machines placed on the 'net that listen to (potentially dark) IP space to collect information about potential attackers.

(This is what one turns into after taking Advanced Network Security at a graduate level. ;))

--janak

So janak, how do you translate my spanish sentence ;) let me give you an example, its used to name those mines left in the war set under a nice clock or any other object that could attract soldiers ;)

The literal translation of Trampa Caza Bobos is Traps to hunt fools.

used to name those mines left in the war set under a nice clock or any other object that could attract soldiers

Boobytrap :twisted:

used to name those mines left in the war set under a nice clock or any other object that could attract soldiers

Boobytrap :twisted:

that´s the word I was looking for! :devilboy: