'Crossover' malcode could jump from PC to handheld

By Bill Brenner, Senior News Writer 27 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

New proof-of-concept malcode designed to spread from desktop computers to wireless mobile devices has been discovered, according to the Mobile Malware Researchers Association (MARA).

Jonathan Read, a New Zealand-based CISSP and member of MARA -- a group formed last year to find and raise awareness regarding mobile device threats -- said in an e-mail Sunday that the malcode, dubbed Crossover, "is a proof-of-concept virus that shows how a virus can spread from a desktop computer to a Pocket PC. With the growing use of handheld devices, this type of virus may become very prevalent in the future."

The group noted that this malcode isn't actively in the wild. It's a proof of concept for educational purposes only. That said, the group warned that its appearance signals another shift in the threat landscape.

"This virus closes the gap between handhelds and desktops. Now its one big world open to all," the group said.

Read added, "For viruses to be more effective, they need to spread across a wider range of devices, including wireless devices. [AV organizations] have to be able to provide adequate protection to deal with these types of viruses."

A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.

"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis. "It was sent to MARA anonymously."

When executed, MARA said, the virus checks what the current OS is. If it is not Windows or mobile, "the virus makes a copy of itself and puts a startup command to the copy in the registry local-machine-current-version-run." The virus "then quietly waits for an ActiveSync connection to be detected. It can wait infinitely, and every time the desktop is rebooted the virus recreates itself and again adds new copies to the registry." Theoretically, MARA said, "you can have so many copies running on startup it could degrade or halt the PC's performance."

When an ActiveSync connection is detected, the virus copies itself to the handheld device and remotely executes the virus to start running on it, the analysis added. The virus is programmed to erase all files in the My Documents directory of the device. It then copies itself to the Windows directory and creates a shortcut to the copy in Windowsstartup. When the device is reset, MARA said, the shortcuts execute their target files.

Tags: Handheld and Mobile Device Security Best Practices,  Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices Researchers find thousands of flawed embedded devices Best Mobile Data Security Products Should Windows Mobile updates come from Microsoft? MMS messaging spoof hack could have global ramifications How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Handheld and Mobile Device Security Best Practices Research Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Emerging Information Security Threats Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary