Details Emerge on the First Windows Mobile Virus (Part 2 of 3)
Date: Sep 10, 2004
Introduction
On July 16, 2004, after a day spent finishing writing my new virus, I (Ratter) sent a copy of the bug to the leading antivirus (AV) firms for analysis. Within a few hours I began to receive their first emails and finished analyses. The next day, the AV firms launched their PR machine; that was the start of the media hype that in essence is still ongoing. Sometimes the AV firms' information is fairly accurate, but sometimes it's incorrect. It could be said that the more we virus code researchers are distanced from the source (in this case, the AV firms), the more the information is misinterpreted and confused. That was one of the main reasons why I decided to accept the offer from security writers Cyrus Peikari and Seth Fogie to write a little story about why and how I created this proof-of-concept virus.
What led me to the idea of writing a Pocket PC virus? What is 29A? Is virus writing legal or at least justifiable? I'll try to answer these questions, even though it will reflect my own opinion, with which some individuals might disagree.
Me and Viruses
Since the MS-DOS days, I've always wanted to know how things work inside—mainly how the operating system works. Therefore, when I received a copy of my first computer virus book, it was the starting point for all three members of 29A; it was like a miracle to me. The book explained procedures of advanced DOS viruses that dug around the entire operating system. Thanks to viruses, I've learned everything I know about the MS-DOS operating system. Later, when I started to examine the Win32 platform, it seemed a logical result to write a virus in order to hone my knowledge. In my opinion, there's nothing like studying viruses to learn the target system. For similar reasons, I enjoyed writing the NT rootkit and exploring the art of reverse engineering.
Me and 29A
29A is an international group connected by a common interest in computer security, especially in self-replicating code. To many who don't know us, we represent criminals who only want to destroy. Under the 29A name, several technically capable people have released programs that, if not interesting, are at least different from "mainstream production" viruses. You won't meet most of our code in the wild—not because we wouldn't be able to write a virus that would propagate; in fact, almost any programmer can to do it these days—but because our purpose is to release proof-of-concept in order to point out security vulnerabilities that can be fixed.
Unlike many of the stereotypes about us, we don't want to destroy data, waste institutions' time, or con them out of money (and the published damage figures caused by many worms are questionable at best). We just want to show that not much has changed since MS-DOS. Computer systems are still vulnerable, and vendors are still unenlightened. Maybe they're comfortable with this state (together with AV firms), but that's just speculation.
Our viruses are very often designed so that it would be impossible for them to spread in the wild without altering their structure: For example, they're limited to infecting one file per run, or they ask the user before even trying to reproduce.
I often hear the opinion that by releasing source code of our viruses and worms in our magazine that implement new ideas and techniques, we indirectly cause destruction, because these techniques are then used in worms in the wild. (For example, 29A has written the first macro virus and the first real Win32 virus, and we worked out polymorphism and metamorphism, as well as the first Win64 virus and the first worm for Symbian that was able to spread via Bluetooth.) However, if you accept this opinion, then you're also pointing the finger at people who seek exploitable bugs in software and who release proof-of-concept exploits; you must believe that these researchers are also criminals. Behind almost all mass-spreading worms (if we omit worms that use social engineering methods) stands a bug in the software that was first discovered, then publicly described, and later exploited. Are you calling full-disclosure researchers criminals?
The answer is clear: Security through obscurity was overcome a long time ago, and that's why 29A and most of the serious virus-writing programmers release their code in magazines. But first, of course, we let AV firms know about these viruses, so they can adapt and prepare new cures. If the few of us who practice virus-writing as a hobby are able to attack almost every main platform, what would professional attackers or terrorists be able to do? It's better to know vulnerabilities in advance in order to prepare your defenses.
Me and Microsoft
A lot of people think that I create viruses because I hate Microsoft or what it symbolizes. That's incorrect. I've used Microsoft's products for many years now, and I'm satisfied with them. When I bought my new desktop PC, I paid extra money for Windows XP without hesitation; and when I decided to buy a PDA, I chose one with a Microsoft operating system. Those who have had close contact with Microsoft research will understand when I say that Microsoft employs the world's leading experts, and a priori those experts cannot do a bad job. Nevertheless, even though the inner design of this firm's products are flawless, the outer implementations mostly aren't. And Windows CE is no exception.
Immediately after playing with my new Pocket PC toy for the first time, I realized that I wanted to learn to create programs for it. And because I like programming on a very low level, I first had to learn the ARM assembly language, because at the heart of my PDA was an Intel XSCALE processor that implements ARM standard instructions.
There was an inevitable few months of delay both because of school and because of other non–virus-related coding. However, after the end of summer term, the holidays came up. Adequate free time is the basic prerequisite to making new programs, and that's why I decided then to start the Pocket PC project. On the Net, I found several ARM assembly guides and official ARM documentation, and in just a few days I thought I was prepared for coding in it. The only programs that are written completely in assembly language these days are computer viruses, so I let one arise....
More To Come...
In part 3 of this series, Ratter describes in detail the first proof-of-concept virus for Windows CE, WinCE4.Dust.