After finding the third malicious program targeting wireless devices in fewer than 60 days, security specialists are warning that it's only a matter of time before attackers launch a serious attack against mobile phones and PDAs. Kaspersky Labs has reported the first incidence of a Trojan horse that targets certain Windows-based handheld devices. Backdoor.WinCE.Brador.a is a backdoor utility that, security vendor F-Secure says, "copies itself to the startup folder, mails the IP address of the PDA to the backdoor author and starts listening to commands on a TCP port. The hacker can then connect back to the PDA via a TCP port and control the PDA through the backdoor". It can infect Pocket PC devices running Windows CE Version 4.2 and later, and newer versions of Windows Mobile.
The discovery of the Brador Trojan horse comes less than three weeks after security experts identified Duts, the first proof-of-concept virus to target the Pocket PC platform; and not quite two months after the discovery of Cabir, a proof-of-concept worm that spreads via Bluetooth. Duts can infect devices running Pocket PC 2000, Pocket PC 2002 and Pocket PC 2003. Cabir can infect Bluetooth phones running the Symbian OS.
"We were certain that a viable malicious program for PDAs would appear soon after the first proof-of-concept viruses emerged for mobile phones and Windows Mobile," Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, said in a statement.
Whereas Duts and Cabir are conceptual viruses that contain no payload, Brador is a fully functional Trojan horse with the complete range of destructive functions typical of other backdoors, according to Kaspersky Labs. For example, the program can respond to commands to upload or download files.
"Backdoor.WinCE.Brador.a is most probably already in the wild, and it's absolutely viable," says Alexey Zernov, a spokesman for Kaspersky Labs. "This backdoor wasn't written for demonstration but for a specified purpose: to penetrate PDAs, getting full control of the infected mobile device."
A group called 29A is responsible for creating Duts and Cabir. According to Kaspersky Labs, a Russian malicious code writer created Brador with the text: "Get to work, folks, the Pocket PC market will soon explode."
Once in the wild, Brador could prey upon the growing numbers of wireless-enabled handheld devices corporations are deploying to run IP services, connect to the Web and provide remote access to corporate network resources. But exactly how damaging such attacks could be is debatable.
Symantec categorizes Brador as a Level 1 threat in a range from 1 to 5, with 5 being the most severe.
The threat of vandalism and information leakage exists, but a compromised cell phone isn't likely to knock over an entire corporate network, says Rodney Thayer, a private network security consultant at Canola & Jones and a Network World Lab Alliance member. "I'm not sure I would have put it at Level 1, but I wouldn't be running around crying we have an immediate, incredible crisis either."
Data access is a concern, says Joel Snyder, a senior partner at consulting firm Opus One Inc. and a member of the Network World Lab Alliance. When users access corporate resources over the Internet via a mobile device, it's important that IT managers restrict their network access, Snyder says.
Offsetting the threat to mobile devices is the fact that they're not continuously connected to the Internet. Rather, users tend to connect for a few minutes every few hours, which makes them less attractive to Trojan horse writers than broadband-connected PCs, for example, Snyder says.
But that could change. "In two or three years, when power requirements for wireless LANs are resolved, we may well see someone with a Pocket PC-sized machine that's wirelessly connected all day long," Snyder says. Securing mobile devices is going to become a bigger issue as they become more connected, he says.
Mobile devices are vulnerable to attack for multiple reasons, Snyder says.
For one, handheld devices don't have a lot of computational resources to process or capacity to store security features. "Adding a lot of password screens and authentication stuff might require resources that are just not available in those devices," he says.
So companies tend to forego really strong authentication systems, such as digital certificates, because of the computational burden.
Mobile device developers also aren't accustomed to stringent security requirements, Snyder says. "It's not part of their mindset because they never lived in this hostile environment."
On the plus side, the growing number of attacks is putting emphasis on the need to pay more attention to mobile devices.
Creating and enforcing usage policies is critical. A little more vigilance is warranted, Thayer says.
The problem is, users perceive mobile devices as their own and download with abandon. "It's going to be an uphill battle for IT managers, just because of the nature of the devices," Snyder says.
Users are watching the developments carefully.
"Given that the majority of CE devices in production currently are not network connected, (any) exploit will hopefully be minimal," says Christopher Misra, a network analyst at the University of Massachusetts. "However given the trend toward network connection for handhelds, and increased wireless coverage, this may become more serious."
At Ozburn-Hessey Logistics, the majority of handheld devices in use at the Nashville company contain only personal data. A few employees might store spreadsheet files containing corporate information, says Matthew Booher, director of IS at Ozburn-Hessey. Also, the PDAs are not wireless-enabled, except for a handful of BlackBerry devices. The BlackBerries, which can be used to access e-mail wirelessly, "could be a real problem" if a PalmOS Trojan were to surface, Booher says.
Preventing PDAs and PCs from transferring viruses to each other via the direct synchronization link could be a job for anti-virus software, Booher says. "My thought would be to have the PC anti-virus program be smart enough to look for the virus on the PC and block it before it got to the handheld. Obviously, wireless connections would be a different matter."
Senior Editor John Cox contributed to this story.
How it works
Brador is a classic Trojan backdoor program that opens an infected machine for remote administration, according to Kaspersky Labs Ltd. It cannot spread by itself; it launches if a user opens an e-mail attachment in which it's embedded, downloads it from the Internet or uploads it.
Once launched, the 5,632-byte program creates an svchost.exe file in the Windows autorun folder, which lets it assume full control over the system every time the handheld is turned on. Brador identifies the machine's IP address and sends it to the author, verifying that the handheld is on the Internet and the backdoor is active. Brador then opens Port 44299 and awaits further commands.
The open port gives the author full control over the infected PDA. Brador is programmed to upload and download files and execute a series of other commands. -- Network World (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.