Proof-of-concepts heighten mobile malware fears

By Bill Brenner, Senior News Writer 02 Mar 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Enterprises needn't be worried about a visit from Crossover or RedBrowser, two proof-of-concept Trojans targeting handheld devices, but security experts say the malware is a sign of bigger threats to come and that IT professionals should start preparing.

"More and more people are beginning to use mobile devices for everyday things," Mobile Malware Researchers Association (MARA) member Jonathan Read said in an e-mail exchange Tuesday. "PDAs used to be very expensive and beyond the average person's reach. These days the prices have dropped dramatically along with huge advances in technology."

Read, a New Zealand-based CISSP and product manager of mobile security firm Airscanner Corp. in Dallas, believes it's only a matter of time before malware writers start targeting these platforms with more zeal. "I would say sooner rather than later," he said.

Experts say Crossover and RedBrowser use new tricks to spread, showing how the digital underground could theoretically launch widespread attacks that would simultaneously hit desktops and mobile devices.

"Two years ago we were saying that nerds were playing around, showing what they could do," said Joe Telafici, director of operations for AVERT Labs, part of Santa Clara, Calif.-based McAfee Inc. "The latest malcode shows them working on ways to make money by finding new attack vectors. [RedBrowser's] use of Java is an approach we haven't seen with other mobile phone worms. This is potentially something that can be tweaked to target a lot of mobile phones."

More on mobile threats Mobile phone malware: An enterprise problem? Mobile malware will cause widespread damage -- in 2007 New mobile virus ups the ante This wireless worm needs some 'tooth

In the end, he said, the underground's goal is to have an attack that affects the most people through phones, desktops and other machines -- attacks where enough personal data can be stolen to make the bad guys a lot of money.

A tale of two Trojans
According to Read, MARA received a sample of Crossover from an anonymous source five days before the group went public with it. "We wanted to make certain that it was not a hoax," he said. In the end, the group determined Crossover worked as advertised. "At least four of us at MARA tested it on our own Pocket PCs."

After close inspection, the group concluded Crossover most resembles a Trojan. "A virus infects files, which this does not do. It creates its own files," Read said. "The way it crosses over could be seen by some as a worm-like feature but it does not spread any further like a worm."

A detailed analysis posted on the MARA Web site labeled the malcode Crossover because it is designed to spread from a desktop machine to a Pocket PC device, namely a handheld capable of running Microsoft Office and Outlook applications, and serve as a wireless phone.

"Crossover is the first malware to be able to infect both a Windows desktop computer as well as a PDA running Windows Mobile for Pocket PC," MARA said in the analysis, which offers a step-by-step outline of how the Trojan operates.

Meanwhile, several AV firms have analyzed the RedBrowser Trojan and found that it's designed to infect not just smart phones, but any mobile phone capable of running Java applications.

It's time to realize that [mobile] devices need AV software and proper firewalls. Jonathan Read, MARA

"The Trojan spreads in the guise of a program called 'RedBrowser,' which allegedly enables the user to visit [Wireless Application Protocol] sites without using a WAP connection," Russian AV firm Kaspersky Lab said in an analysis e-mailed to SearchSecurity.com. "According to the Trojan's author, this is made possible by sending and receiving free [Short Message Service]. In actual fact, the Trojan only sends SMSes to premium rate numbers. The user is charged $5 to $6 per SMS."

Kaspersky said the Trojan is a Java application. The file may be called "redbrowser.jar" and is 54,482 bytes in size. The Trojan can be downloaded to a victim's handset either via the Internet, through Bluetooth or a personal computer. It targets subscribers of Beeline, MTS and Megafon, Russia's major mobile service providers, the firm said.

"The two pieces of malware won't be widespread," said Shane Coursen, senior technical consultant for Kaspersky Lab. "But proof of concept malware can be dangerous in a different way. It puts out the idea that this kind of malware is worth exploring. More mobile malware may be created as a result."

Prepare for what's ahead
While both Trojans are proof-of-concept samples that aren't spreading in the wild, experts say the characteristics are worrisome. Real attacks may be around the corner, and they said IT professionals need to start planning.

As it stands now, experts say enterprises are not ready to deal with the threat.

"Most organizations are at an early stage of awareness regarding mobile threats," Telafici said. "Everyone's walking into the office with cell phones and PDAs that may or may not be company-owned. [IT professionals] need to start thinking about what their policy is for those kinds of devices and explore the kinds of tools available to enforce those policies."

Read agreed: "IT professionals need to become aware of the security implications that mobile devices pose," he said. "In cases such as crossover malware, it is essential that the employees at an organization do not compromise the company's security by taking a device home and syncing it on a less secure computer."

A company may have the most stringent security on the planet, but if an employee takes a device home and his or her home PC is infected, the device will also become infected, Read said, adding, "It's time to realize that [mobile] devices need AV software and proper firewalls."

Tags: Handheld and Mobile Device Security Best Practices,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices How to prevent mobile phone spying Unified communications: Securing a converged infrastructure RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Handheld and Mobile Device Security Best Practices Research Web Server Threats and Countermeasures Latest DDoS attacks extremely unsophisticated, experts say Stolen FTP credentials likely in massive website attacks Microsoft warns of IIS zero-day vulnerability How to find and stop automated SQL injection attacks How to spot attacks through Apache Web server log analysis Symantec acquires Mi5 Networks, bolsters Web security How to harden Linux operating systems How to clear out anonymous Web proxy servers in the workplace Information security book excerpts and reviews Is it more secure to have a mainframe or a collection of servers? Web Application and Web 2.0 Threats Editor's Desk: Google security needs HTTPS by default nCircle statistics show rising Web application vulnerabilities Twitter risks, Facebook threats trouble security pros Twitter bugs, DNSSEC and broswer security Twitter vulnerability project highlights Bit.ly flaws Security researchers develop browser-based darknet Month of Twitter Bugs project to document Twitter flaws Microsoft cracks down on click fraud ring Cloud security begins with infrastructure assessment RSA council addresses growing security risks in the cloud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cache cramming  (SearchSecurity.com) content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary