'Crossover' malcode could jump from PC to handheld

By Bill Brenner, Senior News Writer 27 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

New proof-of-concept malcode designed to spread from desktop computers to wireless mobile devices has been discovered, according to the Mobile Malware Researchers Association (MARA).

Jonathan Read, a New Zealand-based CISSP and member of MARA -- a group formed last year to find and raise awareness regarding mobile device threats -- said in an e-mail Sunday that the malcode, dubbed Crossover, "is a proof-of-concept virus that shows how a virus can spread from a desktop computer to a Pocket PC. With the growing use of handheld devices, this type of virus may become very prevalent in the future."

The group noted that this malcode isn't actively in the wild. It's a proof of concept for educational purposes only. That said, the group warned that its appearance signals another shift in the threat landscape.

"This virus closes the gap between handhelds and desktops. Now its one big world open to all," the group said.

Read added, "For viruses to be more effective, they need to spread across a wider range of devices, including wireless devices. [AV organizations] have to be able to provide adequate protection to deal with these types of viruses."

A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.

"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis. "It was sent to MARA anonymously."

When executed, MARA said, the virus checks what the current OS is. If it is not Windows or mobile, "the virus makes a copy of itself and puts a startup command to the copy in the registry local-machine-current-version-run." The virus "then quietly waits for an ActiveSync connection to be detected. It can wait infinitely, and every time the desktop is rebooted the virus recreates itself and again adds new copies to the registry." Theoretically, MARA said, "you can have so many copies running on startup it could degrade or halt the PC's performance."

When an ActiveSync connection is detected, the virus copies itself to the handheld device and remotely executes the virus to start running on it, the analysis added. The virus is programmed to erase all files in the My Documents directory of the device. It then copies itself to the Windows directory and creates a shortcut to the copy in Windowsstartup. When the device is reset, MARA said, the shortcuts execute their target files.

Tags: Handheld and Mobile Device Security Best Practices,  Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Handheld and Mobile Device Security Best Practices Research Malware, Viruses, Trojans and Spyware How to get rid of malware, botnets on a hospital IT network Should a national cybersecurity strategy include offensive botnets? How to prevent mobile phone spying How can search results lead to malware? How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Emerging Information Security Threats New attack code targets Microsoft ActiveX zero-day vulnerability Adobe ColdFusion websites being compromised Antispyware buying guide for Indian enterprises ATM malware lets attackers take over machines FTC shutters rogue ISP for hosting malicious content, botnets The failing war against cybercriminals White House cybersecurity czar faces major hurdles Cybercrime and threat management The Pipe Dream of No More Free Bugs Face-off: Who should be in charge of cybersecurity?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary