Details Emerge on the First Windows Mobile Virus (Part 1 of 3)
Date: Sep 3, 2004
One of Microsoft's most important initiatives is the Windows Mobile platform. Windows Mobile is powered by Windows CE, which is a stable, efficient, truly multitasking operating system offering nothing less than a full, miniaturized version of Windows 2000. In short, it's a masterpiece. Unfortunately, Windows CE was designed without security. In addition, virus writers have created the first virus for Windows CE, known as WinCE4.Dust, as proof of concept.
What Is WinCE4.Dust?
WinCE4.Dust is the first known Windows CE virus to run on ARM-based devices running Windows Mobile Pocket PC. It was released to all major antivirus companies on July 16, 2004 by its author, Ratter, of the virus-writing group known as 29a (the hex equivalent of the number 666). This is a live, working proof-of-concept virus that infects all .exe files in the root directory of the Pocket PC device.
WinCE4.Dust does no serious or permanent damage to the infected device, with the exception of infecting .exe files in the root directory. Infected files will run the viral code on execution and will then continue to operate as normal.
Several safety features are built into the virus to help prevent it from spreading in the wild. First, when executed, the virus asks the user if it's allowed to spread. Only if the user grants permission will it infect other files. Second, the virus infects only .exe files located in the root directory of the Pocket PC device. All other .exe files on the PDA are safe from infection.
When a user executes the file, she will be shown a dialog box (see Figure 1).
)
Figure
1 Screen shot of WinCE4.Dust.
At this point, the virus will systematically infect all non-infected .exe files located in the root directory of the PDA. It's careful to skip currently executing files and won't re-infect previously infected files.
Details
At approximately 4:45 p.m. EST on July 16, 2004, Airscanner Corporation, along with other antivirus companies, received email from a previously unknown individual named Ratter/29A. Attached to the email, along with a brief explanation, was a file named Dust.zip. When extracted, this file contained three executable files:
PocketIRC.exe (150KB)
TRE.exe (149KB)
wince_dust.exe (2KB)
PocketIRC.exe and TRE.exe were samples of infected executables; wince_dust.exe was a sample of the virus code only (that is, the parent virus). Apparently, this virus was released to antivirus companies as proof of concept and was created to demonstrate that a virus could be written for the Pocket PC environment.
WinCE4.Dust is an example of a classic virus, but it has overcome technical obstacles to become the first virus to infect Windows CE. It infects only existing .exe files already located in the root directory of the PDA. The virus doesn't spread via networking function or operate as a memory-resident process. Due to its method of self-replication (recursively appending itself to every file in the directory), and how it spreads (requiring an initial user action to spread), WinCE4.Dust meets all the criteria for a computer virus.
This is a low-risk virus. It was created with the sole intent of serving as a proof-of-concept program to demonstrate the possibility of viral activity on the Windows CE platform. In fact, hidden in the binary, the author gives this humorous message, "This is proof of concept code. Also, [I] wanted to make avers [antivirus researchers] happy. The situation when Pocket PC antiviruses detect only EICAR file [a harmless, standardized test file] had to end..."
The risk is low because the virus requires a user to permit it to spread to other files. In addition, the infection process targets only files located in the root directory of the PDA, which limits the number of potentially infected programs.
When executed, the virus only scans for and infects other non-infected .exe files in the root folder. It skips any file that has already been infected (marked within the file by the tag line ATAR.) It doesn't damage the PDA or any other file on the device. Therefore, WinCE4.Dust is not a serious threat to infected PDAs. It's remarkable in that it demonstrates the first working method by which a virus can infect files on a Windows Mobile device.
If an infected file is viewed with a hex editor, the following messages appear near the end of the file:
This code arose from the dust of Permutation City This is proof of concept code. Also, i wanted to make avers happy. The situation when Pocket PC antiviruses detect only EICAR file had to end ...
When the virus is executed, either via an infected executable or via wince_dust.exe, it creates a list of coredll.dll functions in memory, which are then used for function calls during the rest of the virus' execution. Once this list is placed in memory, the virus displays the message shown in Figure 2.
)
Figure
2 WinCE4.Dust asking user permission to spread.
If the user selects No, a condition flag is set in the process that forces the virus code to calculate the infected program's real start address, which is then executed.
If the user selects Yes, the virus sets aside some space in memory and then locates the first .exe file in the root directory. If this function returns a filename, it checks whether the file is greater than 4,096 bytes; if so, it starts the infection routine.
First the virus checks to be sure that the file is writeable, which would not be the case if the file is currently in use. Then it passes through several checks to verify that the file is a true .exe, and to make sure that it wasn't already infected. If the file has been infected, it will be marked with the word ATAR at the offset 0x11C. Without this check, the virus would keep re-infecting files over and over until the device ran out of memory. If the target .exe passes the checks, the viral code is appended to the target file, which increases the file size by 1,536 bytes. Finally, the PE header is altered to point the processor to the newly appended virus code when the infected file is executed and to write in the ATAR tag.
Once the virus code has determined that there are no more uninfected .exe files, it calculates the correct starting address for the executing file and redirects the process to this point. The infected program then operates as normal.
Prometheus Unbound
Immediately after publishing an initial analysis of the virus, as well as the first known antivirus signature data file to detect it, Airscanner Corporation was flooded with requests from large companies that wanted a copy of the virus binary and source code. For example, people from organizations as diverse as the U.S. military, Motorola, and many others wanted full disclosure of the details. However, all Airscanner had was the binary and the results of the blind reverse-engineering described above.
Thus, we decided to write to the proof-of-concept author, whom we had never met or talked with before. After communicating with him, we found that he appeared to be a legitimate security researcher. He stated that he only wrote proof-of-concept code, and that he always put safeguards into his binaries to keep them from spreading in the wild. He also strictly refrained from spreading programs in the wild, rather sending samples only to well-recognized antivirus firms. Thus, we asked him if he would give us a more detailed analysis of this new class of virus. By understanding the unique nature of this malware, security researchers will hopefully be able to develop better protections.
For many years, some in the antivirus industry have attempted to keep proof-of-concept code as well as important methods of defense within a closed priesthood of self-proclaimed "experts." However, we believe in responsible full disclosure. That is, malicious virus writers in the computer underground already know these techniques. The only ones that are hurt by secrecy are legitimate companies and researchers.
For this reason, it's important to get the knowledge to legitimate researchers who need it, since malicious writers already have the information. For example, as far back as 2001, Prentice Hall recognized this need and published annotated source code samples from the Melissa virus in Windows Internet Security. These days, the concept of "security through obscurity" is discredited.
More To Come...
Before moving on to the detailed analysis of the virus in part 2 of this series, there's a moral issue to consider. Some people will insist that proof-of-concept virus authors, as well as full-disclosure security researchers, are immoral. This is a viewpoint that we won't be able to change in one paragraph. However, we prefer to judge people by their actions, rather than their deeds. For example, we have heard executives of antivirus companies state that they would never hire a programmer who attended a college (such as the University of Calgary) that taught students virus-writing in order to hone their defensive skills. Yet some antivirus company executives will say this in one breath, while committing securities fraud and lying to stockholders in the next. We hope you will judge people by their actions, rather than by hearsay.