First Trojan for Windows CE Released

Tuxedo Jack writes "Symantec and The Register are reporting that the first Windows CE trojan horse, known as Brador, has been mailed to Trend Micro. This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it. As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

Only a matter of time I guess...

[pillageplunder]

Interesting point that it cannot spread on its own. It appears to be following similar paths to viruses for other OS...start simple, move up in complexity and sneakiness.
Greaaaaaat.

Re:Only a matter of time I guess...

[Lumpy]

not really.

The first viruses I saw back in the 80's were 20 times more elegant and amazing. they would actually attach to other programs, chaing the first byte of the software to jump to the end of the program, execute the virus, then run the program. Many would even convince the DOS dir command to lie to the user and show the same filesize as the normal program... even though a user would not really notice the file size change cince many of these viruses were smaller than 1K some less than 500 bytes.

today we really dont have many viruses but simply mal-ware.... although there are some real viruses out there.

granted adding network capabilities to a virus is harder, but a simple local filesystem spreader can jump network mounted drives because the OS is happy to make it easy for the program.

Re:Only a matter of time I guess...

[mwood]

"...will we soon need firewalls for...."

Silly question. The answer is always, "yes, and you should have designed them in from the beginning."

If it connects to a network, it needs protection. It's as simple as that.

Re:Only a matter of time I guess...

[RevAaron]

Indeed. Back then it was an intellectual treat to read the assembly of a virus, for a lot of them at least. It may sound lame to say that, but it's true. Like looking at the DNA of a tapeworm. Today's viruses an worms work, but only because Windows is that wide open in so many ways- the people behind them aren't doing that much thinking.

Re:Only a matter of time I guess...

[Errtu76]

Also back then the virii were more 'fun' to have. I still remember my mom, on a 8088 freaking out when a bouncing ball was on her screen, right in the middle of Word Perfect :) Or when my dad asked me to remove the music from his programs. Apparently every now and then he had to stop working, because the pc was playing yankee doodle :)

Re:Only a matter of time I guess...

Somewhere along the line people figured out that viruses just have no where near the spreading power of an email that says "click here for porn -> porn.exe". The sad part is, that it STILL fucking works! You'd think everyone and thier dog would have learned after the LoveLetter "virus" (which is actually a trojan), but no, people will happily click on any random attachment, even if there is no message, and the file name means absolutely nothing. Simply put, the cleverness of creating a virus pales in comparison to preying on the stupidity of regular people - sad but true.

Re:Only a matter of time I guess...

[maxwell+demon]

Hmmm ... my television is actually connected to a network (the cable TV network). Do I need a firewall for it?

Re:Only a matter of time I guess...

[bsmoor01]

The advent of protected memory in average-joe OSes probably put a stop to this. If it's possible for a virus running in one process to affect another's memory space, then there's a serious hole in the OS.

-Seth

Re:Only a matter of time I guess...

who was talking about memory??? If I can read the disk I can infect the files there. nothing you can do to stop that short of adding UNIX filesystem and user systems (something that MS is too stupid to impliment for the past 15 years.)

It's really easy to make a tiny prog to access the disk, find files and attach to them espically at the backend of the program, sometimes you can get in the middle as there are large expanses of nothing in some programs (VB apps for example)

t's that current "virus" writers are lame.

Re:Only a matter of time I guess...

[bsmoor01]

NTFS

Re:Only a matter of time I guess...

[JBdH]

D*n right you are. The first virus I saw was the Word Perfect 5.1 ping pong virus, which was a little 0 bouncing through the screen, taking away characters it bounced through on the screen. wp5.1 was basically a single exe file, so the virus had to mod the binary in some way. An .exe without the virus would have exactlye the same size as the .exe WITH the virus. Maybe that's because of the trick the parent describes.

Re:Only a matter of time I guess...

[Marxist+Hacker+42]

Depends. Have you been getting spam from your cable company on it? I got rid of my digital cable partially for that reason- I got tired of the spam for PPV that kept putting a stupid little envelope icon on the screen whenever I changed channels. (that, and I wasn't really watching the upper level channels anyway).

Re:Only a matter of time I guess...

People aren't stupid. The real question is: Why does clicking on a link in an email message run a program? Does that sound like sensible behavior to you? How often do you mail someone a program with the message "Click me". An email client should deliver mail, it should not be capable of launching programs. If I want to send somebody a singing birthday card, then I'll just check myself into the State Hospital instead.

Re:Only a matter of time I guess...

[Thomic]

Your are right about that people aren't stupid but they just don't think when they press the button.

Once my friend pressed the button and said "I can't open this attachment. My computer went nuts. Could you open the file from your computer, please."

I m sure that he doesn't do that again;)

And yeah, it might be good idea to restrict mail-program to open other than selected programs. At least it sounds good for me.

Re:Only a matter of time I guess...

[maxwell+demon]

Well, I'm only getting the usual spam through TV channels (also known as advertising spots). But then, spam is not what a firewall if for (or rather, against), that's the spam blocker's job (I don't have a spam blocker on my TV, but it already has been invented - I don't know the accuracy, though).

Re:Only a matter of time I guess...

[Marxist+Hacker+42]

:-) Digital cable is different- in addition to TV Channel data, digital cable sends you a huge variety of stuff down your cable- e-mail, digital music, IP tunneling, etc. It's not outside the realm of possiblity that somebody could hack your Windows Embedded set top box, thus the need for a firewall.

Of course we're going to need firewalls...

[Dagny+Taggert]

..for CE because, as usual, people will have to patch their CE-based PDA. If desktop Windows is any example, most people won't bother to download security updates, leading to exposure to other damaging varients. I'm sure the brains at Symantec are running in high gear right about now.

Re:Of course we're going to need firewalls...

[danamania]

..for CE because, as usual, people will have to patch their CE-based PDA

Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?

Re:Of course we're going to need firewalls...

[SpinyManiac]

This is a social engineering exploit in user.exe
To patch this vulnerability, run the following:

clueX4.exe /beat common.sense user.exe

Re:Of course we're going to need firewalls...

[FireFury03]

Just wait - soon you'll need to download 70MB patches over GPRS :)

Re:Of course we're going to need firewalls...

[thpdg]

Don't forget that with Windows CE, when you do a hard reset, it's like formatting a hard drive. Any updates you have on, will be erased and need to reinstalled. For some users, that would need to happen pretty regularly.
It's because of this, that most Windows CE updates are in the form of ROM updates, and these don't usually make it to consumers, and when they do, are a pain to install.
There are ways around it, but Microsoft isn't showing any effort, perhaps now they will. Everytime I reset, I have to install the updates for Pocket MSN and Pocket IE from flash card again.

Re:Of course we're going to need firewalls...

[silverfuck]

IMHO, any device capable of running user programs and with any sort of communications should need a firewall. Computers need them, handhelds need them, soon phones (when they become more like PDAs) will need them, everything! It would save a lot of bother if this type of feature were designed into a system from the beginning, when the threat was more theory than any real problem - just think how things would be if computers had had firewalls from the beginning.

Re:Of course we're going to need firewalls...

unless the virus disables the hard reset using the foward deflector array and

never mind.

Re:Of course we're going to need firewalls...

[RevAaron]

You can already get firewalls for Linux, WinCE (incl PocketPC) PDAs.

Re:Of course we're going to need firewalls...

[RevAaron]

Good point, if WinCE based machines operate in a network manner the same as desktop Windows. Are they in any way comparable? If you somehow had a desktop running WinCE, would it be comparable to say, a Win XP machine with its networking?

Short answer: yes.

Long answer: Pretty much. CE doesn't have the services with ports open that regular Windows does, but otherwise the networking system is very similar in its capabilities. When it's on it's always on. CE is a lot like regular NT/XP in a lot of ways in its capabilities, though it was done from scratch, which benefits it a lot. It has a substantial subset (think Carbon from Mac OS Toolbox) of the Win32 API found in XP.

Re:Of course we're going to need firewalls...

[tlhIngan]

Don't forget that with Windows CE, when you do a hard reset, it's like formatting a hard drive. Any updates you have on, will be erased and need to reinstalled. For some users, that would need to happen pretty regularly.
It's because of this, that most Windows CE updates are in the form of ROM updates, and these don't usually make it to consumers, and when they do, are a pain to install.
There are ways around it, but Microsoft isn't showing any effort, perhaps now they will. Everytime I reset, I have to install the updates for Pocket MSN and Pocket IE from flash card again.

Except that quite often, the new generation of PDAs have come with a *LOT* of onboard non-volatile storage. Come to think of it, I've seen iPaqs come with backup software that backup the RAM disk to built-in flash. And now a lot of PocketPCs come with non-volatile flash for user data storage (it's not just for PocketPC anymore). So hard-resetting the device will remove the virus, but if it was stored in the flashdisk, then well, it's just waiting to be reactivated.

Oh, you can also persist the Windows Registry to flash as well. A carefully written app can easily set up a registry key to autorun on boot (one string, and a DWORD), then call the registry-persisting functions to write that key to flash. Then on next bootup, Windows CE will helpfully restore the registry, then tun through its initialization.

Now, most of the low-end PDAs still use a backup battery and RAM, leaving the high end ones to have the "backup to onboard memory" feature, as well as a user-writable storage area without having to have a storage card handy.

Re:Of course we're going to need firewalls...

[Chanc_Gorkon]

This particualr virus would be gone after a reset unless you were dumb enough to save it in the file store and run it again. When it runs, it put's itself in /windows/startup .

This is a inconsequential virus and there's still no need for PPC antivirus software.

Re:Of course we're going to need firewalls...

[FuzzyBad-Mofo]

Heh, I read that as PowerPC antivirus software. Gotta love those acronym namespace conflicts..

Re:Of course we're going to need firewalls...

[thpdg]

You mean like this? http://www.symantec.com/sav/handhelds/

Re:Of course we're going to need firewalls...

[bithead2u]

PPC "Magneto" (based on CE 5.0) will include support for Trusted Computing, and also will use persistent storage (flash based) instead of the current ram based file system and registry. With persistent storage, when you have a crash or do a hard reset, you won't lose data, patches, or apps (in theory). But Suspend could be pathetically slow, sort of like hibernate on the desktop, since all files have to be flushed before power down.

i find it interesting

[dncsky1530]

that smartphones were hit by a worm before windows CE, anyone wondering the same thing?

Re:i find it interesting

[SenseiLeNoir]

that was a concept worm.. not a real worm, please do not do a SCO and make something seem different to what it really is.

Secondly it uses the standard Bluetooth file transfer mechanism, and does not exploit any vulnerability. The symbian (certainly on my p800) system will recieve a file ONLY if it is paired to the phone, otherwise you get a message specifically asking if you wish to recieve it.

Once recieved, you have ot open the warn, read about two or three warnings, telling exactly what is happening before you even get to the point of installign the application. Finally the application needs to be physically started.

Finally being a 10meter range on bluetooth, guess what the biggest limiting factor is!

I know users can be stupid, but this one woudl most probably remain a concept, nothing more

Re:i find it interesting

[rnilz]

> I know users can be stupid, but this one woudl most probably remain a concept, nothing more I disagree. This 'worm' follws the exact same principle e-mail worms do: in order to be successful, you have to con the user into opening the file. Nothing more, nothing less. Right, surely people won't open files on their files willy nilly? Of course they will. It's happened before, it'll happen again.

Re:i find it interesting

[RevAaron]

This CE trojan isn't much different. The person has to download it and run it *on purpose*. It odesn't exploit any vunerabilities.

With both, users can be stupid enough to do it. You say "hey, try out this game!" whether ir's over email or bluetooth. But neither would do well out in the wild.

Re:i find it interesting

[D4rkn1ght]

Isn't WinCE going to be the OS of choice for MSN TV? If so, virus like this will fool the regular consumer.

Its about time!

Can you get virus/wormprotection for CE already at all?

Re:Its about time!

[SpinyManiac]

McAffe used to do a WinCE virus scanner, but now it looks like they only support Dell Axims.

Re:Its about time!

[anno1602]

RTFA. The link that has details to the Virus has update instructions for Symantec AntiVirus for Handhelds (TM). So, in a word: Yes.

Re:Its about time!

[SpinyManiac]

And Trend.

Marketshare isn't an issue either with this

[CrackedButter]

There are more mac's than window CE devices yet there is now a virus for that platform. That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window.
Can it?

Re:Marketshare isn't an issue either with this

You forget that there are viruses for the Mac platform.

Re:Marketshare isn't an issue either with this

[DaHat]

You say that as if there are no viruses on the Mac platform. A simple google search will reveal that is not the case.

Re:Marketshare isn't an issue either with this

[Swedentom]

Well, the CE devices are in a somehat different market than Macs, so I bet their marketshare is pretty large.

And there are viruses for Mac, but not any for Mac OS X, except for Office macro viruses created for Windows, AFAIK.

Re:Marketshare isn't an issue either with this

Stop spreading FUD, moron.

Re:Marketshare isn't an issue either with this

[CrackedButter]

I'm talking about MAC OSX in particular. Sorry, should of clarified.

Re:Marketshare isn't an issue either with this

There are viruses for Mac OS X.

Re:Marketshare isn't an issue either with this

[gl4ss]

this is not a virus, or not even a trojan.

it's a honest backdoor program.. which means that it's just a program that takes commands from outside the device and as such is very unlikely to even be first of it's kind.

very bad excuse for an antivirus company to get some pr tho.

I believe this kind of programs exist for mac as well(opensshd would technically count as well, strange we don't see it mentioned there).

Re:Marketshare isn't an issue either with this

[CrackedButter]

Really?

Re:Marketshare isn't an issue either with this

Are you so deluded by your own zealotry that you can't admit its not possible for someone to write a simple program to delete all your files and email itself to others in Mac OS?

Re:Marketshare isn't an issue either with this

[fiftyvolts]

I'm a Mac user, perhaps even a ac zealot, but I'll admit that there are security issues with OS X. First of all no matter what OS you run someone can make a Trojan horse. It's quite easy to write a program that just zaps all your files or something. If you can convince someone to run your code, no matter how many warnings the OS throws up, then you've pretty much got them by the balls so to speak.

In addition there was on quite scary vulnerability with macs. As you may know when you double click an Icon OS X helpfully tries to figure out how to "do what you mean." It is possible to hide executable code in the data tags on a mp3 that OS X will (helpfully?) run when it is double clicked. If you play it through iTunes it will seem like a regular mp3, but opening it could run malicious code

I am still of the opinion that windows is swiss cheese when it comes to wholes, but no operating system is immune to duplicity

Re:Marketshare isn't an issue either with this

> There are viruses for Mac OS X.

For an extra ten points, name all of them

Re:Marketshare isn't an issue either with this

> There are viruses for Mac OS X.
For an extra ten points, name all of them

Typical mac zealot response. Go google them yourself. You'll find dozens

Re:Marketshare isn't an issue either with this

this is not a virus, or not even a trojan.

Well, a trojan is a program that predends to be one thing, while actually being something else.

So, this is not a trojan. But, since it pretends to be a trojan, it actually pretends do be something that it is not. Which makes it a trojan. But, if it's a trojan, and it pretends to be a trojan, it doesn't pretend do be something that it's not. Which makes it not a trojan. But, since it pretends to be a trojan, it actually pretends to be something that it is not. Which makes it a trojan...

Confused yet?

Re:Marketshare isn't an issue either with this

[mst76]

Except that this isn't a virus or a worm, it's a trojan. Trojans are trivial to make for any OS that can execute applications. You can probably come up with your own OSX trojan in 30 seconds.

Re:Marketshare isn't an issue either with this

[CrackedButter]

Btw, for some who didn't notice, i didn't actually say the Mac hasn't got viruses my point was about marketshare being a factor in writing a virus for a given platform.

Re:Marketshare isn't an issue either with this

Pretend I'm stupid and can't find any Mac OS X viruses.

Name them all

Name five

heck, name just one

Re:Marketshare isn't an issue either with this

Zealotry means repeating yourself like u are when presented with the facts. Again, google it yourself a google for mac os x viruses reveals over TWO THOUSAND HITS.

TRY IT yourself.

Re:Marketshare isn't an issue either with this

[dave420]

Of course it can't be thrown out the window. Sheesh. Windows PDAs are way more complicated than their Palm equivalents, and with that extra complexity (and power) comes an increased risk of viruses. And, in the PDA world, the largest market share is Windows, so the argument still stands. I guess you'll have to bash microsoft some other way.

Re:Marketshare isn't an issue either with this

[NanoGator]

"That argument about macs having a smaller marketshare and thus are not the target of hackers can be trown out of the window."

Nope. Windows still holds the crown by a long shot.

Virus spread is greatly enhanced by having a large number of connect hosts. (connected not necessarily meaning 'connected to the net') This argument has been disputed before, but not satisfactorally.

Re:Marketshare isn't an issue either with this

[mvdwege]

Well then, do the search and post the link, or shut the fuck up, OK?

Mart

Re:Marketshare isn't an issue either with this

[Carnildo]

Last time I checked, there were 24 viruses and one worm. None of them would work on MacOS X.

Re:Marketshare isn't an issue either with this

Been done. Easy solution: never download MP3s that are stuffed (SIT) or BinHexed (HQX) or in any format that preserves resource fork.

This is a Good Thing

[wackysootroom]

First Trojan for WinCE? Good! Now I won't have all of these little Pocket PCs running around!

Re:This is a Good Thing

Ironically, it could also stop viruses.....

Ask a stupid question...

[A+Guy+From+Ottawa]

will we soon need firewalls for Windows Embedded?

If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

Sincerely,
GWB

Re:Ask a stupid question...

Sincerely,
GWB
Mr. President, I thought you were from Texas, not Ottawa. This explains so much!

Re:Ask a stupid question...

[FireFury03]

If you have ANY device connected to a network, it should be protected (firewalled) from evil-doers.

No - if your device is set up _correctly_ then insecure and unnecessary services shouldn't even be listening for connections from the big bad internet, so you don't need a firewall.

IMHO the _only_ reasons to have a firewall on a system set up by someone with a clue are:
1. controlling forwarded traffic if the device is routing network traffic for other machines
2. as a fail safe incase you accidentally enable a service you didn't intend to.

Re:Ask a stupid question...

[aurelian]

Firewall may still be a useful precaution in case there are un-patched vulnerabilities in your services. Can't necessarily count on there always being a patch released in time.

Re:Ask a stupid question...

[FireFury03]

Errm, I'm sorry, but if I have a webserver running then the firewall will have to allow traffic to that webserver - the firewall won't be examining the traffic and looking to see if it matches any known attack (and even if it did, since the attack is known the webserver can be fixed). So someone can compromise that web server whether there is a firewall or not.

If you mean that the attacker could install code listening on any other port then a firewall running on the machine itself isn't going to help you - there's nothing stopping the attacker from shutting down the firewall while they're installing a rootkit. Even if the firewall is on a different machine there's still nothing stopping the attacker from crashing the service their compromising (or any other service on the box) and firing up their own service to listen on that port.

Re:Ask a stupid question...

[aurelian]

If you mean that the attacker could install code listening on any other port then a firewall running on the machine itself isn't going to help you - there's nothing stopping the attacker from shutting down the firewall while they're installing a rootkit.

Sure, if it's an attacker installing a rootkit then there's not much you can do. But internet worms aren't necessarily that sophisticated. Often they're just looking for unpatched unprotected boxes.

Re:Ask a stupid question...

[Sique]

IMHO the _only_ reason to have a firewall on a network is to add another layer of security. Every system has a point where it fails, and to rely on only a single system of protection is risky.

There are multiple points where a host based protection system can fail. Missing patches, errors in configuration, not secure setups out of the box (to load the latest patches you have to be online), you name it.

There are also multiple points where a firewall based security policy can fail. Stateful inspection protects the system only against access to unwanted services. Attacking a purposedly active service can not be prevented by a stateful inspection firewall. And also firewalls can be misconfigured. I had a case some times ago, where the firewall module didn't load, and the base system was set up to go to routing mode without firewall module. It's not that easy to detect, because the active services are reachable, and in this case the host was well setup, so all unwanted services were unreachable.

The application firewalls, which draw their security from implementing a more secure and hardened version of the protocol(s), have other drawbacks (lower bandwith, limited scope) and are not universally deployable, and also for them the old rule is valid: They can be misconfigured.

And there is always the risk of not handling your system properly. What use are extensive logfiles of services and firewalls, if they get deleted unread, because the log file system went full?

So as a conclusion: Don't rely on a single way to protect your systems. Every method has their merits and their limitations. And you have to choose and to put them into a working policy whose scoop should always go beyond the purely technical aspects of security.

Attitudes to networking

[rokzy]

>will we soon need firewalls for Windows Embedded?

given how important and prevalent networking is, shouldn't every network capable device now have some sort of a firewall?

by analogy, after seatbelts were invented, instead of waiting for a car crash and asking
"do cars need seatbelsts?", then waiting for a van crash and asking
"do vans need seatbelts?", then waiting for an SUV crash and asking
"do SUVs need seatbelts", then waiting for a lorry crash and asking
"do lorrys need seatbelts" ...
just skip to the end - put seatbelts in all vehicles unless a very good reason not to.

Re:Attitudes to networking

[FireFury03]

"do busses need seatbelts?" - yes, but not many have them
"do trains need seatbelts?" - probably, but they don't have them
"do motorcycles need seatbelts?" - dunno, but I don't see many the them :)

Re:Attitudes to networking

[MikeXpop]

"do motorcycles need seatbelts?"

That's the silliest thing I've ever heard. Of course they don't need them. Adding seat belts would be a saftey hazard. If I fall on a motorcycle, the last thing I want is to have a motercycle strapped to me. The whole purpose of a seatbelt is so you don't smash into the front of the car/train/bus. That doesn't make sense on a motorcycle.

Re:Attitudes to networking

[ez_TAB]

I want an Earthbelt.
This thing is moving pretty damn fast...if we hit something....

Re:Attitudes to networking

[FireFury03]

That's the silliest thing I've ever heard.

Umm, yah, that would be why there was a smiley on the end of the line...

Re:Attitudes to networking

[Gordonjcp]

And yet, in some parts of the US, there are laws requiring you to either wear a helmet, or have seatbelts fitted. Strange but true.

Re:Attitudes to networking

Exactly. He was explaining the joke in enough detail so everyone could enjoy the humor. Hence "that's the silliest thing I've ever heard." Quite a refreshing change from "LOL" or "ROFLMAO."

Re:Attitudes to networking

[glesga_kiss]

Parent is correct. When learning to ride a motorcycle, you get told to push the bike away from you in an accident. If you just skid along the ground, your clothing and helmet will protect you. The only real hazard is hitting something, like a wall, car or your own bike.

Re:Attitudes to networking

On moving vehicles, you are moving at the same speed as the vehicle. So, when the vehicle decelerate quickly to a stop, you are still moving forward. Seatbelt prevents you from getting thrown to the windshield or the steering wheel. But, a huge vehicle like a bus or a train does not come to a stop very quickly since they have a huge momentum, so in an accident, it's unlikely that you'll get the same injuries as in a car.

On a motorcycle, it'd be a bad idea to add a seatbelt since it will tie you up to the motorcycle which may roll over on the top of you.

Re:Attitudes to networking

[kisielk]

Busses do not need seatbelts. In fact, studies have been done that show that seatbelts in a bus are more likely to cause injury than if the rider was without one. I wish I could find and quote the study on the net right now, but unfortunately i don't have the time to find it.

Windows Broken Security Model.

[torpor]

You know, you'd think that there'd be some money to be made in fixing Windows Broken Security Model.

What is stopping some enterprising hacker - and surely, if you can write a virus, you can do this - from developing a 3rd-party 'add-on' or extension or something which fixes the broken user/security model of Windows(XP,CE,2K,etc)?

Some kind of wrapper .DLL set which encapsulates all the most common API's used by Virus-writers to exploit Windows flaws should be feasible, surely ...

Re:Windows Broken Security Model.

[rokzy]

the problem being many programs are also built on the flaws. just like websites with incorrect html but designed to work around flaws in I.E.

Re:Windows Broken Security Model.

[tesmako]

Well I would love to hear how all the people posting in this story complaining about the operating system security suggest how to prevent this trojan from working? It does not spread, you have to manually download it or get it in a mail, it does not automatically run, you have to run it yourself, just where is the operating system supposed to look to be able to tell that the user needs to protected from itself?

Re:Windows Broken Security Model.

There's many products that intercept standard Windows API calls like a debugger and "sanity check" the length of parameters and what not, Okena made one which was bought by Cisco, NAI makes Entercept, think about your breathing.

Re:Windows Broken Security Model.

It is a classic "problem located between stylus and seat" issue. Stupid user is sent a trojan and stupidly runs it.

This would work on UNIX as well if similarly minded people started using it.

Of course the developers of the Windows CE email application would have known this and could have chosen to make it harder to use attachments

Re:Windows Broken Security Model.

Hmm... how about giving the user a brief intelligence test each time the handheld is going to retrieve e-mail?

If the score isn't over a certain threshhold, any executable files received in new e-mail messages are automatically deleted, and the following text is appended to the messages:

----------
An executable file attachment was removed from this message. It was not necessarily a worm/virus/trojan, but your IQ test results show you are too fucking stupid to tell the difference and would happily double-click on a land mine if someone sent you one.
----------

Re:Windows Broken Security Model.

You can fix most of those problems pretty easily, in that since your correct the trouble is what do you break in the process. Windows become much more secure if you start logging people in as limited users instead of power users/administrators, but lots of apps just wont run. Cisco Call manager won't run in fact, which is inexcusable on the part of a network company!

If you start wrapping those calls you will prevent lots of apps the rely on the lack of security to do things. Legacy windows programs make all sorts of assumptions like I can put a file in %windir%\system.

One of the main things that prevent people form moving to other platforms is their apps wont run. If you start making windows so apps wont run then, its one *feature* is runied. The only good thing windows has going for it is compatibility. You break that windows becomes worthless when compared with OSx or GNU/Linux.

Re:Windows Broken Security Model.

Clearly you don't understand how Windows is structured. Its security model is one of the best in the business. Its implementation however, has been less than stellar. And add things like Office macros to complicate issues. But the Windows security model itself is very good.

Re:Windows Broken Security Model.

"Just where is the operating system supposed to look to be able to tell that the user needs to protected from itself?

If the user is stupid enough to use Windows, he obviously needs to be protected from himself.

Re:Windows Broken Security Model.

[mailtomomo]

great way to improve minesweeper ... and humanity

Re:Windows Broken Security Model.

[torpor]

Its security model is one of the best in the business.

if it were so good, it would be easy to implement, not hard.

diebold.

[Neophytus]

IIRC everybody's favorite e-voting company Diebold uses CE for their voting machines. I wouldn't be surprised if they used it for their ATMs too. There's a pretty big market to be hit if you can get a worm onto either of those private networks.

Re:diebold.

[RevAaron]

d0000d maybe u could write a k-rad [1] tr0jan on da magstr!!!p of your CC card! hell yea!!

[1] why don't people say "k-rad" any more? at least in mocking l33t people? that was a mainstay of the l33t mocking community back in my BBS days- it's a shame no one uses it anymore.

Re:diebold.

[mattyrobinson69]

in the UK, the cashmachines use (i think) windows 98. i think this because i saw a dhcp error on one once, and the window border looked like ass-ugly 98 (95 and 2k are slightly different, the others are quite a way off)

Re:diebold.

[mattyrobinson69]

oh ye, my point was that windows 98 is not secure and i wouldn't feel happy drawing money out if halifax weren't going to foot the bill - thankfully for me, they do.

windows 98 on a nationwide system of cashpoints, which holds millions (maybe billions, i dont know) of pounds

Re:diebold.

[dave420]

Actually, they use NT 4. :)

Re:diebold.

[mattyrobinson69]

thats wierd, i was sure it was arse-ugly windows 98. spose it makes a bit more sense to use NT4 though.
i thought NT4 used the same window borders at 95 but maybe im wrong.

(i do believe you btw).

Re:diebold.

[tpgp]

I wouldn't be surprised if they used it for their ATMs

Yes. They do

first? bullshit.

[gl4ss]

since it doesn't even spread or do anything except accept commands over network I highly doubt that it isn't the first of it's kind.

and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

and then it's for windows mobile, not ce(yes, a mild difference but difference anyways): " Backdoor.Brador.A will work on Windows Mobile 2003 and only affects ARM-based devices."

oh and another thing. 99% of the time these devices are behind NAT if they're on network.

Re:first? bullshit.

[FireFury03]

and built for botnets? no way, are you disconnected with reality? building a botnet with these would be total idiocy.

I dunno - great way to run up people's GPRS bills.

Re:first? bullshit.

[spectrokid]

Personal firewalls do give out a warning that "Program XYZ is connecting to server ABC. Do you want to allow this?" Things like ad-aware, antivirus and personal firewall do have a role here, but it makes me sick thinking I am going to have to install/update all that shit on a pda. Considering they have almost started from scratch on CE, you 'd think they would use the occasion to get their security right. Maybe the solution is to filter at the ISP/Telco level. I don't know many legal applications for sending 1000+ emails from a PDA.

Re:first? bullshit.

[barcodez]

and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM? nothing nada zip zero.. if you _wanted_ to run it which you must(in case of this program) you would want to turn off the fw too, no?

OK from the post not even the article...

Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.

So adding a firewall will stop commands from evil doers (tm) from executing on your PDA. The point of this trojan is you trick people into installing it. Send a mail saying "hey install this cool new game!".

Re:first? bullshit.

> So adding a firewall will stop commands from evil doers (tm) from executing on your PDA.

Nonsense, a firewall stops traffic from and to the network, it doesn't stop programs from executing. The obvious thing to do for a trojan is to disable firewalls first. Now, on a Real OS, a normal user can't stop a firewall that has higher priviledges. But on WinCE, normal users are root, so...

Re:first? bullshit.

[mr_z_beeblebrox]

Apt title for your post. and tell me, WHAT GOOD WOULD A FIREWALL DO AGAINST AN _INTENTIONALLY_ INSTALLED BACKDOOR PROGRAM?

Good point, but true administration would be nice. I have clowns in my warehouse running around with ARM based winmob 2003 scanners. I can not prevent them from downloading and installing this (well, other than by filtering their e-mail).

oh and another thing. 99% of the time these devices are behind NAT if they're on network.

99% of all statistics are wrong. Seriously, where do you A. Come up with that and B. believe that it matters. Most corporate networks use NAT but that has not stifled any rogue programs.

Re:first? bullshit.

[krunk7]

I'm sorry, but you must be confused as to what a firewall is. I'll clarify:

A firewall blocks all ports which are not explicitly opened for use. It blocks both ingress and egress traffic and does so separately such that port XX may be opened for incoming but not outgoing traffic. Most decent firewalls are also stateful allowing for established or related traffic to be allowed.

So, in short, a firewall goes a long way in preventing any harm due to careless users since though the program can be installed, it would be completely inaffective unless it happened operate on one of your opened ports. I would also allow for inspection of drop and/or reject log entries which would alert you to unexpected scan attempts.

Re:first? bullshit.

[Chris+Hodges]

Things like ad-aware, antivirus and personal firewall do have a role here, but it makes me sick thinking I am going to have to install/update all that shit on a pda.

For a WiFi/GPRS handheld or smartphone then firewalling the direct connection(s) to the outside world may be needed. The rest (anti-spyware, AV etc) could be hosted on the PC to which the device is synchronised, and run automagically (or on demand) when you connect. Then they can be updated by whatever means your desktop AV updates (assume broadband/corporate LAN and it gets even easier). Chris

Re:first? bullshit.

[Chanc_Gorkon]

Um...ahh I know! :D If they are wirelessly connected, they most likely have 192.168.1.100 or some other IP as any good network admin would know that wireless security is SHIT and needs to be isolated form the rest of your network and doing a NAT and having a firewall between your WLAN and your regular LAN is VERY common. When your behind a NAT, your definitely not totally hidden, but for this thing to work, you almost have to have a public IP and even then (GPRS may do this but I bet they use NAT too) you have to be on the network. Also, a quick hard reset and this virus is gone (unless you had it in file store or a SD Card AND click on it again).

Also, you have to be an idiot to get this one too as you HAVE to run it. I know, there are alot of idiots our there, but you should hope that they'd have learned by this point. This virus is not going to be common. The common ones are the ones that get spread across the network and this does not even do that....it just trys to zombify your ppc.

The clowns installing shit could easily be resolved by installing the software you need into the rom (I believe some symbol based ppc scanners have this) and NOT GIVING THEM WIFI Or I should say internet privleges on the WiFi network. That's how you can prevent idiocy with mission critical ppc based scanners.

Re:first? bullshit.

[YU+Nicks+NE+Way]

Actually, you can prevent them from installing this. Pocket PC devices can be configured to block all software installation except for programs already installed. Wouldn't that solve your problem?

Re:first? bullshit.

[mr_z_beeblebrox]

Until they do a reset. If you believe in the security on a pocket pc I feel for you.

Re:first? bullshit.

[xmod2]

Even better, Microsoft makes it easy for you with Cabwiz.

Seth Fogie from Airscanner gave a talk on Window's Mobile PDAs at Defcon this year. Sending CAB files is one way to easily package a trojan in with a game. Plus after installing, the CAB file self destructs. He showed that with this method you could easily replace the onscreen keyboard with your own and log it, open a port and connect with some dev tools to get VNC type access or just place a program in the startup that resets the machine. The only way out then is a hard reset to factory default.

He also mentioned some buffer overflow vulnerabilities and showed that once you got your shellcode over, you could set the flag for the aforementioned hard reset to happen during the next reboot.

As for dust, a few small changes and it goes from mostly harmless to a pretty potent virus (for example, it will no longer ask you if it's allowed to spread hehe).

With the PDAs becoming more popular in business settings (particularly with Wifi access) these problems change from minor end user inconvenience to a source of sensitive information leakage.

Re:first? bullshit.

[gl4ss]

no it doesn't IF the user already WANTS to allow that, which he would have to _want_ to do to get this thing installed(or it would have to be piggybacked on some other installation file, in which case the user would also _want_ to install the program anyways).

Trojan eh???

[m0dd3r]

Wow, and I always thought keeping a Trojan in my pocket was a way of preventing the spread of viruses !

Re:Trojan eh???

[cipher+uk]

the best way of preventing that sort of virus is visiting slashdot everyday!

Re:Trojan eh???

[corngrower]

No, keeping it in your pocket doesn't help. You have to put it on the little pope before having sex.

Re:Trojan eh???

[rikkards]

And it is recommended not to keep it in your pocket as the heat can prematurely (hehe) erode the latex. Plus keys etc may cause tears inadvertently

Isn't this just an updated amish virus?

[AnswerIs42]

I mean, if I have to send it to someone, hope they receive it on their PDA, open and install it and have a wireless or wired connection for it to work..

Wouldn't it just be easier to send them the Amish Virus instead?

Re:Isn't this just an updated amish virus?

I can't believe sophos even lists this as a "hoax" virus. I can't believe anyone stupid enough to believe it is a real virus would be smart enough to delete their files... or even make it to the web site to see it is a hoax.

I can just see the service call:
Idiot: I just got the amish virus.
Tech: What's that?
Idiot: Says I have to delete all my files.
Tech: Okay, go to 'My Computer'
Idiot: Huh?
Tech: The pretty little icon that looks like a little computer.
Idiot: Oh. Why didn't you say so? I went there
Tech: Double click on it.
Idiot: Okay.
Tech: Hit the control key + A
Idiot: Okay
Tech: Now hit delete.
Idiot: Okay, I see little pieces of paper going into a trash bin.
Tech: Great. We're done
Idiot: Okay, now what.
Tech: See the windows to your left?
Idiot: Yes.
Tech: Open it up and jump out.
Idiot: Aaaaaaaaaaaaaaaah. Thump

Bots on a PDA?

[pklinken]

As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

So.. an embedded device on which someone reads email would be a PDA and what's exactly usefull about a bot on PDA that's online now and then and mostly sleeping ?

I mean.. it's utterleet ofcourse . . .

Re:Bots on a PDA?

or it could read a list of passwords/user names and credit card numbers and other personal info on the pda and when it connects online, it would email all that info to where ever.

Wait...

[5m477m4n]

This cannot spread on its own; it must be mailed or transmitted, then opened. Once opened, it opens a TCP port, allowing the remote-controller to connect and establish control over it.

This doesn't sound new, hasn't VNC been out for while?

The more viruses..

[Sibeling]

..the better anti-virus companies do. (money-wise)

Call me paranoia. But I wouldn't be surprised if anti-virus companies build viruses themselves.

1: Build anti-virus product
2: Build virus
3: Sell more anti-virus solutions (aka profit!)

Re:The more viruses..

4. Downsize employees.
5. Disgruntled ex-employee blows whistle.
6. Lose Shirt.

Re:The more viruses..

[mr_z_beeblebrox]

How utterly 90s. Let me show you the REAL money.

1: Build anti-virus product 2: Build virus 3: Sell more anti-virus solutions (aka profit!)

4: Sell backdoor access to BIG CORPORATIONS

Re:The more viruses..

[tehcyder]

Call me paranoia

Well, I'd call you paranoid.

If you think you are a disease, I'd say there's certainly something wrong.

Re:The more viruses..

[deimtee]

How about:
1. Make noises about downsizing,
2. Employees go write viruses in spare time
3. Work picks up
4. Jobs saved!!

It's not necessarily the official company policy, but anyone who benefits from something should at least be suspected of being in favour of it.

Useful!

[mwdmeyer]

Hey maybe this program is really useful? I mean does microsoft have a remote control program for windows CE? Think of it like terminal service but FREE! This program is good. Install it!

You shouldn't need a firewall

[Gothmolly]

For a PDA. Why does WinCE ship with any ports open at all? What possible services should it offer in an out-of-the-box, no-user-input-required configuration? Look at OSX, no ports open by default. Look at any decent Linux distro - the daemons listen on localhost only. When will MS change their tune, or are they operating under the 'no such thing as bad publicity' theory?

Re:You shouldn't need a firewall

[jimicus]

"No Ports Open" simply means that nothing's listening on those ports. It doesn't mean there's some voodoo magic which keeps them closed. If you want that, it implies you want something at a TCP/IP level in the host OS preventing anything from getting to user level programs. I'd call that a firewall.

The daemons listening on localhost are configured to. Users don't usually configure trojans.

Re:You shouldn't need a firewall

[mobby_6kl]

This(and any other) trojan opens the port ITSELF.

Re:You shouldn't need a firewall

> For a PDA. Why does WinCE ship with any ports open at all?

Does it? Which ports are open on WinCE by default?

Re:You shouldn't need a firewall

[Chanc_Gorkon]

Activesync works over IP now pretty much. It uses about 2-3 ports by itself. Plus a good percentage of PPC's now have WiFi integrated so various ports would be open.

Oh and that's not entirely true about OSX.....it has ports 25 and 80 open from the start (for mail and web). OSX also does not happen to ship with alot of the services other then those open. Trojan's don't have to use obsecure ports and many don't because they know port 80 and 25 are almost always open. Trojan's may be counted with viral malware, but most trojans are not viruses as they don't spread all by themselves...i guess you could call them parasites. The host has to actively eat consume the parasite by running the program.

Yes, we'll soon have firewalls for everything

[syousef]

This is something like living in a society where you could leave your doors wide open, then having a spate of house robberies hit your neighbourhood. Suddenly everyone's use to locking their doors. But what about the cars? Yes you'll need to lock them too because sooner or later they'll be hit.

Eventually all our more sophisticated devices will need firewalls, antivirus and other security, however that evolves. In 10 years expect your mobile, PDA, digital camera etc. to have this. It's a sad truth that as the world gets more sophisticated so do the theives.

Re:Yes, we'll soon have firewalls for everything

[mattyrobinson69]

YEAH!!! toasters with a firewall!

wouldn't want some git to write a trojan that cooked my toast when im not looking.

Zaurus

[sjoel]

My sharp Zaurus runs on embedix (linux) so i guess i need not worry about this for ahwile.

Re:Zaurus

Keep believing that
http://www.csa.syr.edu/suruaz/2002-07-07.txt

Re:Zaurus

[dave420]

grow up, dude. seriously.

Re:Zaurus

[IANAAC]

And when you realize that you need a firewall on your zaurus, you can get everything you need at:

http://cmisip.home.insightbb.com/zaurus.htm

Re:Zaurus

[RevAaron]

Actually, there are probably a lot more traditional vunerabilities on the Zaurus than there are on WinCE PDAs. But, that said, I could just as easily send you a program that you have to save and run that deleted your home directory and apps. No different from this.

they are already creating a firewall for it

[FluffyG]

I had a chat with my cousins husband close to a year ago and he was working with a company that was creating a firewall for windows CE because they knew this would become a problem plus there are already numerous security flaws he explained to me which i forgot over the course of a year...
so the idea of a windows CE firewall has already been in the works for some time...

i was doing a project for school and this topic came up because it was a new technology that could be exploited over time

Re:Windows security?

I gave away my Palm because it was a pain in the arse to connect reasonably with my PC. Palm's OS was very limited. I could argue that no one cam up with a virus for my first Casio, but that doesn't prove that it is a superior machine.

Not a big deal.

[mst76]

What's the big deal about this, trojans are easy to write for any OS. This particular one opens a listening TCP port, and emails out it's IP address. Since WinCE is a fairly complete OS with a TCP/IP stack and an email client, it's rather obvious that something like this can be written. If they'd discovered a hole that can be exploited without user intervention, that would be big news.

A possible security weakness of WinCE is that it has no real user and priviledge separation (like Win9x). But what many people who argue for security through priviledge seperation forget to mention is that a standard user (both on NT and Unix) usually has quite a lot of priviledges. You don't need to be root to open ports >1024 or silently send out thousands of emails. Remember, anything YOU can do under a normal user account, a trojan can do as well. So something like this could be easily written for Linux or MacOS. The only security that priviledge separation buys you is that you normally can't change system or other users' files. Since WinCE only supports one user, and the system is in ROM (a hard reset erases all virusses), there is nothing to be gained here.

Re:Not a big deal.

I wouldn't call it a virus

a. if the user has to run it

and

b. it doesn't do anything a user couldn't do themselves.

The real solution

[BeatdownGeek]

"will we soon need firewalls for Windows Embedded?"

What we need is for people to think before they do things. A firewall, antivirus, etc will never stop ignorant people from doing stupid things.

Viruses and spyware just rely more on social engineering, and the only way to 'fix' that is by limiting what the user can do.

Re:The real solution

[Bruha]

Viruses and spyware just rely more on social engineering, and the only way to 'fix' that is by limiting what the user can do.

This is not necessarily true. Education will go a long ways towards fixing bad behavior. Though it would do little to help idiots and people with no common sense.

edit: i found the handheld security group

[FluffyG]

http://www.bluefiresecurity.com/

and yes it seems they already have a firewall for:

Bluefire supports PDAs running the following operating systems:

* Windows Mobile 2003
* Windows Mobile 2003 Phone Edition
* Pocket PC 2002
* Pocket PC 2002 Phone Edition
* Palm 4.1

My Firewall IS running Windows CE

[Air-conditioned+cowh]

I just got a Belkin 54g ADSL router and have been dismayed by it's annoying habbit of not syncing for hours at a time then deciding to work again. Another ADSL modem works all the time.

I discovered that the admin interface called up a file with a .exe suffix. Oh oh. That means that the box itself is running some kind of MS software. This probably explains why it behaves in such a flakey manner generally.

I wonder how long it will be before these so-called firewall boxes are turned into zombies.

Now Windows is worming its way into more and more embedded appliances people are just having to get used to a lower and lower standard of reliability from devices that never used to crash or get viruses, such as ATM machines, firewall/routers, mobile phones etc.

I hope consumers and embedded developers become aware of this and stop the rot.

Re:My Firewall IS running Windows CE

I wonder how long it will be before these so-called firewall boxes are turned into zombies.

Did you try running ethereal on the WAN side of your socalled "firewall"?

Unless you run Windows Update on it regularly, it's probably already a zombie.

Re:My Firewall IS running Windows CE

[dave420]

So, instead of proving ideas how to fix the problem, you're in favour of throwing the whole OS out the window? Very good. Genius. Sheesh.

We're talking about a TROJAN here. You could write one for Linux easily. You could write one for any OS that has a TCP/IP stack and can execute programs. This is clearly not a microsoft-only problem, so stop treating it as such. All you're doing is showing your complete lack of objectivity and reasonable thought when dealing with an article that mentions "microsoft". The /. disease.

Re:Why must you always pick on Windows CE??+

[RPoet]

I'm sorry, modders, I'll try to never attempt this level of irony in my posts again.

Ahem..... ILOVEYOU

[jimicus]

kindly check the attached LOVELETTER coming from me.

<Attachment: LOVE-LETTER-FOR-YOU.TXT.VBS>

... and I guarantee this will be modded down.

Re:Why must you always pick on Windows CE??+

[tehcyder]

I thought everyone knew that you don't do irony on /. where Linux is concerned.

Time Shift

[byronne]

Um, has Cowboy Neal tivoed (sic) himself? This is about the third story this week that he's reposted. Maybe a vacation (or a return from one to the frontal lobes) is in order?

Not that I really mind having the same information repeatedlt drilled into me - promotes retention.

Re:Windows security?

[jimicus]

It's not WinCE, it's "Windows PocketPC Edition" : ie. the slightly newer version on all the managers iPaqs.

It "only works on ARM devices". Well, seeing as that's 80-90% of the PDA market and Microsoft don't actually develop Windows Pocket for anything other than the ARM processor, that's a non-issue.

And Palm have been losing market share to mobile Windows devices for some years now.

So, in answer to your question, I'd say we learn damn-all.

It IS a big deal.

He didn't call it a virus, he (correctly) called it a trojan. However, this IS a big deal.

The problem is that too many people ARE fooled by trojans. If the coming generation of phones are getting more powerful, this will become a problem. Just imagine receiving a "matrix screensaver" or "britney ringtone" from a friend. And indeed, it appears to be a screensaver or ringtone when you run it. But it also silently sends itself to all the contacts in your phone at 3AM, and then proceeds to dial an off-shore 10$/min number.

Now I realize that the programmers at Windows Mobile, or Symbian or PalmOS are not idiots. But many end users are. How powerful should your phone OS be? "With great power comes great responsibility."

Re:It IS a big deal.

[armando_wall]

With great power comes great responsibility.

I always found that quote very insightful, until they used it in the Spiderman movie. Now it sounds like if I heard "These pretzels are making me thirsty!". Damn media. X-D

Re:Windows security?

> So what do we learn from the fact that the first handheld-worm was releases for Windows CE and not for PalmOS?

Read the f*cking headline, it's a trojan, not a worm. Anyone with the PalmOS dev tools installed can whip up a trojan in two minutes.

Re:Why must you always pick on Windows CE??+

[armando_wall]

The thing is that what you said has been said and counter-said and counter-counter-said millions of time before.

But what the heck.. this is slashdot, anyways.

Get a clue.

Its not a worm. Its a trojan. A trojan that could exactly the same thing on any other PDA OS.

No flaw is causing it to spread.

And to dispell your other fud. First handheld worm/trojan/whatever?

http://www.trendmicro.com/en/about/news/pr/archi ve /2000/pr0828b00.htm

Mod parent down please!

Automotive use of WInCE...

[Powertrip]

Isn't this thought scary? With M$FT's push to get more and more Automotive applications for WinCE (or simmilar) could you imagine the impact of such an exploit?
All of the sudden your vehicle stops responding, your dash fills with idiot-lights, and you are forced to pull-over and 'reboot' :)

What's next? Having your On-Star system auto-dial one of those Long-Distance scam numbers in Sao Tome? http://www.businessknowhow.com/newlong.htm

Re:Automotive use of WInCE...

When a user is logging into the embedded computer in his car to run an email attachment, I think more than just his car is needing a "reboot".

Re:Automotive use of WInCE...

[dave420]

It's. A. Trojan.

Unless your were randomly running strange applications on your car's PocketPC, this won't affect you. It's a trojan. It can happen on ANY OPERATING SYSTEM WITH TCP/IP. Sheesh. Anyway, your car would be running Windows Embedded, which is a completely different product.

People can't even bash microsoft properly these days. But still they try.

What about PalmOS?

[lokiz]

Anyone know if there have been any malware for PalmOS? Go into any CompUSA, BestBuy, Staples etc and the PDA's will have PalmOS or WindowsCE. Once in a blue moon you'll find a linux based PDA, but it is still rare. So I would think a security comparison would be in order of PalmOS and WindowsCE since they are the more common PDA OS's.

Re:What about PalmOS?

[kevinmf]

I'm sure it's been done. It's just as easy to interface with the palm os tcp stack as it is on any other operating system (*nix, windows*, blah blah blah)

As a bunch of other posters have already pointed out - anything with a tcp stack and executes programs is vulnerable to a TROJAN. This is not an exploit.

COOL!

[jav1231]

Trojan: "Dude! I owned an iPAQ! Emailed to the user, he opened me up and BAM! I had root access to this...uh...little....uh...bitty....room. ....ahemm..."

The Bad M$

[TheM$Man]

It has the trojan because it is the M$. If it was not the M$ it would not have the trojan. Why you ask? Because the M$ is bad. No matter what they do is bad. Some even say Bill Gates deserves "death" because of the M$. They must all be right because the M$ is bad. Bad bad bad M$.

Firewalls all around!

[Cid+Highwind]

"...and it leads me to wonder: will we soon need firewalls for Windows Embedded?"

Not soon, you need them now! If a device has a public network interface, it needs a firewall. It's not just a matter of Windows sucking, PalmOS, Symbian, Linux, etc. devices are going to have exploitable bugs (and therefore need firewalls) as well.

Re:Firewalls all around!

[Ziviyr]

In Linux I often find its good enough to just disable useless or dangerous services.

Windows doesn't have that luxury (or at least I haven't found a big enough hammer to achieve that with), AND its own firewall let at least one worm pass anyway!

No, if people have no faith in the ability of Microsoft to competently engineer anything, for some people at least, its a well earned belief.

Re:Windows security?

I have an iPaq h2210, which runs Pocket PC 2003. If I open Vsset Viewer and choose "Version", it reads "OS Version: Windows CE 4.20".

Catching trojans is for idiots

[nurb432]

A trojan requires direct user intervention.. It should not suprise anyone that one exists..

It should be a suprise that people still fall for them in this day and age.

Now if this was a worm for CE.. that would be news.

I think...

I'll wait until the next release. You know these first releases always have stability issues.

Blackhat talk on Windows Mobile PDA Trojans

This was covered at Blackhat and Defcon by Airscanner. They demod a trojan, keylogger, buffer overflow attack, and an altered version of the Duts virus that was released a couple weeks ago.

Based on that talk, things arent looking good.

http://www.airscanner.com/pubs/BlackHat2004.pdf

Waste of Time

Firewalls are not gonna be needed until CE based units actually do something half useful. I mean do you really need someone's schedule or their phone numbers? Get real.

Re:Windows security?

[callipygian-showsyst]

http://www.wired.com/news/technology/0,1282,38997, 00.html

Here's a reference to a Palm Virus from 4 years ago!

So what do we learn from the fact that the first handheld-worm was releases for Windows CE and not for PalmOS?

We learn that you're some kind of crazy zealot, or perhaps one of the folks Apple hires to spread lies in blog sites!

Re:Windows security?

[dave420]

Errr. because there are more Windows PDAs out there than Palm ones, and Palm PDAs can't do as much as the windows ones (and so are less apt for trojans, etc.). It's not brain science :)

Windows Embedded already vulnerable

[halfabee]

We had a hell of a time last fall when the the Nachi worm somehow got loose on our network.

After patching all our desktops and servers, and continuing to see "infections" on new unprotected computers, I finally found the last holdout for the worm: an Iomega NAS device running Windows Embedded.

My assumption is that devices that run Windows Embedded "look" just like Windows 2000 or XP in most respects. I was even able to connect to the NAS via DameWare remote control, which was a bit of a shock.

stupidity....

I always open executable attachments on my pocketpc. I then go on to forwarding them to all my pocketpc-using friends.

The MacOS security myth

[EvilAlien]

Here is some clue:

There is a common misperception that Apple's various releases of MacOS are more security than alternatives A, B and C, and that "you can't hack a Mac". That, of course, is pure bullshit. The evidence often sited to support that outlandish claim is the lack of viruses or "hacking" incidents involving MacOS personal computers. One of the, if not the most important, factors in the "popularity" of a virus or worm is the popularity of the host it is designed to effect. MacOS may comprise a mere 5% (which is probably lower than the proportion of Linux desktop users) of desktops today, however Apple's products dominated back in the day. They have since lost that dominance to a little upstart based in Redmond, Washington ;)

Anyways, I think a review of some malicious code history is in order.

As you can see from the history, the bit of code considered to be the first virus. Elk Cloner spread from machine to machine on floppy disks. Of course, Apple was the shiznit at that time, and kids could get access to them in school.

Fast forward to 1986, and we see the first viruses hitting MS-DOS, which was starting to become popular at that time. The first self-replicating bit of malware (aka worm) was identified in 1987, affecting IBM mainframes.

It wasn't until 1988 that the first virus-related crisis broke out, but that often overshadows the fact that 1988 also marked two new viruses for the Apple Macintosh, including the first major outbreak. The Mac was still a very popular desktop at this time, both for business and in the educational sector.

Over the next few years, Apple's popularity decreased while Microsoft got a stranglehold on the desktop computer market. PCs running Windows started to become affordable, moreso than Apple's products, and personal computers spread rapidly into homes. With this increase in popularity came an even more rapid pace in malicious code being seen out in the wild.

It doesn't take much brain power to see that viruses, worms, trojans, and other malware are written for the big targets. Vulnerability in the target certainly plays a role, and both Apple and Microsoft have had their share of attention. Microsoft gets a far bigger share, of course. Given that they comprise roughly 90% of desktop PCs, it should be no surprise that the kiddies who write viruses are both using and targeting Windows products. It also doesn't help that Microsoft is only starting to really get a clue about security.

However, this shift has resulted in the misperception that I mentioned at the beginning of this post. Is Apple a victim of the "you can't hack a Mac" delusion? There is some evidence that they are. A recent Security Focus article discusses a recent vulnerability in MacOS X - Apple patches critical Mac OS X hole:

The hole was discovered by a German techie called "Lixlpixel," who claims to have reported the bug to Apple on February 23rd. It wasn't until nearly three months passed without any response from the Cupertino, Calif. computer maker that Lixlpixel went public with the hole, when discussions about it began showing up in online forums, he says. Security services firm Secunia confirmed the vulnerability and released a formal advisory on Monday. Secunia rates the bug "extremely critical."

Apple's responses to the reports ranged from silence, initially, to smug assurances that customers are not at risk and that MacOS X's UNIX core is more secure than most. UNIX may have better inherent capabilities for security than Windows due to design, however a poor implementation of a UNIX-based system is equally (if not more) vulnerable than most systems ("most" being everything that isn't UNIX).

The big question is whether or not Apple has a good and secure implementation of UNIX at the heart of their product? Short answer: hell no. One of the pred

Hmm. Not much of a virus really.

Hello, I am a virus. Please
1) send a copy of me to everybody in your address book
2) delete everything on your hard drive

Thanks

/. is a mirror of the register

Why has slashdot become a mirror of 2 day old register stories?

Differences in Construction / Custom

[SeanDuggan]

As a parent poster noted, one of the purposes of seatbelts is to keep people from going through the windshield or, worse, the engine block. I think the best quote I saw for that was from 8-Bit Theatre where Black Mage comments on how his lack of a seatbelt will allow him to be "thrown free of the wreck to safety" with Red Mage retorting that indeed it will, except that it will also throw him "through the shattering window which would more closely resemble a cloud of high-veloity multi-faceted razor blades." Also, in a car crash, it is in one's best interest to be kept within the car during the crash because the car provides a protecting structure. In comparison, on a motorcycle, there's nothing really to get thrown through and there's no real protection in staying with your vehicle. (Perhaps it's even worse due to the likelihood of getting pinned between the bike and the pavement)

In actuality, I suspect the answer is more grounded in custom. Motorcyclists have never had seatbelts and often haven't even worn helmets or protective clothing, so they're not required to. Probably the same reason busses lack seatbelts. (Although some school busses are installing them, probably to forestall lawsuits.) Similarly, AFAIK, if your car was built before seat-belts were required to be installed, you're not obliged to wear them.

More along the the lines of the topic, I'm mildly leery of firewalls being required to be installed. If they were, I'd say that they should by default only block ports that a typical user wouldn't need. And there should be a nice error message as to why as well as a big help section in the back of the manual about what to do when such an error message occurs. Otherwise, we're bound to get a lot of users claiming "their machine is broken."

Re:Differences in Construction / Custom

[Nasarius]

Although some school busses are installing them, probably to forestall lawsuits

The school buses in my area have had seat belts since, oh, at least fifteen years ago.

No big whoop

[Xeger]

It's not exactly difficult to make a trojan for Windows CE... just write a simplistic Win32 trojan, taking care to only use API calls supported by CE and avoiding use of the standard C library (always good advice when writing virii/worms/trojans, anyhow!)

If someone had released this trojan for the Win32 platform it would be almost laughable, not newsworthy except for its silliness. But compile it against a different set of DLLs and target a different architecture, and suddenly it's news? What gives?!?

Not to mention the fact that the heterogeneity of Windows CE instruction set architectures makes it hard for a virus or worm to spread. Even if you write a genuine virus, if you target ARM (the most popular chip for CE devices), at best you'll be able to infect 60% of the devices your virus encounters.

Re:No big whoop

It was written in ASM for ARM. Same as the virus released two weeks ago. This does show some 'skill'. There were no dlls to compile it with. In ASM you dont get that benefit. Plus in ASM for ARM, you have to use an algorithm just to find the memory addresses for the function calls you want in your program. Point is, this isnt your simple programmed trojan.

Re:No big whoop

[Xeger]

OK, my fault for not RTFA. I agree that any malware written in assembly requires some skill.

On x86, it's relatively easy to call Windows API from asm ... you can declare the symbols using some special asm syntax and link against a .lib file. The linker will produce a map of all the symbols you want to import, and at runtime, the PE loader will resolve the Import Address Table for your process. If you're super-leet, you can also raise an interrupt during execution to call an API.

Do you have a pointer to more specific info on how the process works on ARM? I'm curious how it differs... I find it hard to believe that processes running on ARM don't get the benefit of an IAT, but if so, that's pretty barbaric.

Re:No big whoop

From what I have learned, Windows Mobile doesnt have that IAT found in other Windows OS's, mainly due to space considerations. You have to build a small search algorithm to locate the coredll.dll files location in memory, then build another search algorithm to search for the desired functions that are called using their decimal export value. In other words, you have to know ahead of time what the values are and create your own table in the program to handle function calls. To my knowledge, the Duts virus was the first that did this. I am itching to RVE the backdoor to see if it is the same.

Re:No big whoop

[Xeger]

Wow, that's pretty hardcore...every program has to build its own import table every time it runs. It's the ultimate speed-for-size tradeoff!

I'm going to look into this more ... curious to see how the initial search algorithm works. Iterating thru the entire address space looking for a module sounds like a really bad idea, especially if the architecture supports VM ... you never know when you'll hit an invalid page.

Re:No big whoop

I am not sure how other programs handle it...but I think you just inspired me to check. I am just familiar with how Duts handles it. But I am guessing that might very well be the case...

YAY! Now I have an excuse to play with my ARM :)

Re:No big whoop

[Xeger]

This reminds me of an x86 virus I was looking at the other day ... it finds the address of a certain kernel data structure by finding the user32 module in physical memory, locating a certain API that uses the data structure and disassembling the first hundred or so instructions. Devious!

Social eng (trojans) !=a windoze-specific problem

[twigles]

I hate M$, their technology annoys me and their business practices offend me. Having said that I must say that it is biased to say that Windows CE is insecure because a trojan horse exists is ignorant. Here's a program I like to call DeadGaim and distribute to people running Gnome:

#!/bin/sh
rm -rf /*

If some dumbass running as root executes this little jewel does that mean that Gnome and/or the underlying OS is faulty? No, it means that someone just got nailed by a crude form of social engineering.

Re:Will we soon need firewalls for Windows Embedde

[Marxist+Hacker+42]

Worse yet- will we need firewalls for hardware firewalls designed on Windows Mobile/Embedded? The recursion could be endless.

Firewalls

[Rick+Genter]

will we soon need firewalls for Windows Embedded?

In my opinion, you need a firewall for anything that can connect to the Internet. Period.

Re:Windows security?

[RevAaron]

So what do we learn from the fact that the first handheld-worm was releases for Windows CE and not for PalmOS?

Umm... Nothing really. Other than that someone felt like doing it there. Also, it's not a worm- it's a trojan. It'd be even easier on PalmOS to create a trojan for PalmOS that deleted all of your data, or even trashed the ROM. PalmOS is far more retarded than CE, unfortunately.

Port scan results

[irenetheno]

Here are the nmap results from a WinCE 2.0 device with ActiveSync running.

PORT STATE SERVICE
137/udp open netbios-ns
138/udp open netbios-dgm
139/tcp open netbios-ssn
990/tcp open ftps

All that's needed now for a worm or virus to propogate directly is a buffer overflow and binary compiled for WinCE, yes?

Re:Windows security?

[Akimotos]

What a complete BS. What about Symbian dude??? Seen the sales figures of last week? Marketshares of Palm (22%), Windows CD (23%), Symbian (35%). And there is one lousy conceptuel virus detected for Symbian UIQ (SE P900 Smartphone).

Just face it... Windows is crappy code and crappy code gets exploited. It doesn't get much simpler.

Re:Windows security?

[Dominatus]

There WAS NO EXPLOIT. How many times do people have to say this? There is no code exploit. This is not a worm. It's a trojan. A trojan that could be made for any OS at any time w/o any trouble.

There are worse things out there...

You want a real virus?

Get airpwn (from DEFCON), and have it start feeding people malicious PNGs based on their User-Agent (not always accurate, but probably the simplest way to hack airpwn into a mass-hacking tool).

You guys have updated everything that uses libpng already, right?

Re:Still wear them Department

Why cover Pope? Only paranoid people cover Pope.

Firewall Tranversal

[cascadefx]

As expected, this will most likely be used to make new botnets, and it leads me to wonder: will we soon need firewalls for Windows Embedded?

I am surprised there hasn't been more developed for CE yet. Being exceptionally mobile, they cross the firewall borders of institutions every day.

It's the same problem we have with disks, just smarter.

We get similar issues with laptops. All the filtering at the border doesn't matter so much once you bring in a laptop that was infected while outside and just got plugged into the network.

There are ways around this, of course, but they are difficult and not everyone implements them.

CE seems like fertile territory precisely because attackers KNOW it is mobile platform. An attacker could write generic PC code all the day and hit a laptop out of luck... still effective, but sloppy. Now, targetting a mobile only (for the most part) OS/platform seems more sinister.

Scary stuff.

there is a firewall for windows ce

not that it would work against a trojan such as this as many have already pointed out, but check out:

http://www.bluefiresecurity.com/

The payload is the easy part...

[argent]

People keep creating malware payloads - trojan horse backdoors, destructive applications, and so on - for obscure or so-far-unexploited platforms and sending them to antivirus companies or the media who promptly go to "orange alert". The payload isn't interesting, it's the easy part. People have written trojan horse payloads in Postscript to run in laser printers, for heavens' sake.

The tricky part is the other half... getting the horse inside the walls in the first place. Without that, all you have is a cherry bomb. Show us the delivery mechanism... how is the virus/worm/whatever passed on from one system to the next... and you have something worth showing.

Windows CE is not my favorite operating system. It's all the bad features of the Windows programming model without any of the good parts. But it's not built around a deliberately crippled desktop like Windows 9x/NT/XP/... are, and there's no reason to assume that the exploit - the hard part - is going to be a piece of cake.

Can you guess?

It doesn't surprise me at all. It is, after all, Windows. And, Windows has the worst track record for lack of security.

Anyone who uses a Windows-based OS deserves to be trojaned/virused just because they are stupid enough to actually use a Windows-based OS.

Re:Ahem..... ILOVEYOU

[arose]

It was modded up, what do I get from your guarantee?