Guest mini_man Posted March 3, 2006 Report Posted March 3, 2006 At 10:53AM 3/03/06 it was discovered that a Virus had jumped from a Desktop Pc to PDA. The Company The Mobile Malware Researchers Association (MARA) has said that it has discovered what has been the first anounced case of a virus being able to infect a Windows Mobile Device from a Desktop Pc. The virus seems to be able to infect Windows desktops and then to to be able to jump to Pocket PC and Windows Mobile devices when it detected an ActiveSync connection. The author claimed the 'crossover' virus was written in C# (C Sharp) using Visual Studio .NET 2003 and should run on any handheld device running windows ce/mobile and .NET CF 1.1. MARA's Jonathan Read, Product Manager, CISSP described the virus as 'the next logical step'. 'Multiplatform code mixed with profit hungry malware authors equals disaster.' MARA says it is making its findings available to security companies and researchers that qualify for membership. It hasnt been announced what the virus is capable of but personally I think that it may be a threat to hundreds of Windows Mobile users syncing there Devices with activesync. Thanks to DrWho for submitting the news.
Guest fluffcat1 Posted March 3, 2006 Report Posted March 3, 2006 Not quite 'new's / found today, has been doing the rounds for a while with no proof... http://www.pcworld.com/news/article/0,aid,124899,00.asp Mystery Surrounds PC-to-PDA Virus Antivirus vendors say they cannot confirm the existence of the Crossover virus. Jeremy Kirk, IDG News Service Wednesday, March 01, 2006 A mystery is deepening around a report about the emergence of a virus that can pass from a PC to a mobile device, with some antivirus vendors saying they have not seen the code to confirm it. The Mobile Antivirus Researchers Association (MARA) said Monday it anonymously received the code, named "Crossover." Microsoft, whose software the virus reportedly affects, said Wednesday it is investigating the reports but has not heard of any customer complaints. MARA officials were not immediately available to comment further. Antivirus vendors said they will update their software to detect and remove the virus if they are allowed to analyze it. While vendors typically send virus samples to each other to update their products, MARA has not been forthcoming with a sample, said Graham Cluley, senior technology consultant for Sophos. At the moment, the antivirus community only has MARA's word that the virus exists, Cluley said. "We would still love to see a sample of this and determine if this is a potential threat to our customers," Cluley said. "It's a little bit disappointing that they are not sharing the sample." The virus, MARA said, is the first one engineered to infect a Microsoft Windows desktop computer and then pass to a mobile device running the Windows CE or Mobile software, subsequently erasing files. Proof-of-Concept So far, the code remains proof-of-concept, a tag given to viruses that are created to illustrate how a vulnerability can be exploited but which are not generally released on the Internet. But once the code is publicly released, malicious hackers may alter it. The aim is for the virus to spread rapidly before antivirus software is updated to detect and remove the malware. The Crossover virus copies itself in the registry of a desktop computer. It waits for a mobile device to synchronize its data with a desktop machine using Microsoft's ActiveSync program, according to MARA's posting. The virus then erases files in the My Documents directory on the device. Mikko Hypponen, chief research officer at F-Secure, said the security company can update its software to detect the virus within a couple of hours of having a sample. But the company has not seen the virus, he said. Sophos contacted MARA by e-mail to request the virus. MARA responded with an e-mail attaching legal conditions to the release of the sample, but Sophos did not want to sign an agreement, Cluley said. Sophos has had concerns over white papers MARA has published that contained virus source code, he said. Further, it is customary for antivirus vendors to securely send each other malware samples within a few hours, Cluley said. MARA said that the virus would be available to antivirus companies and security experts "who qualify for MARA membership, which is free." The terms of the membership are unclear from MARA's Web site, and representatives of the group could not be immediately contacted. MARA, formed in 2005, describes itself as a "vendor-neutral group" dedicated to prevent the spread of malicious code. According to its code of conduct, MARA members are not supposed to exchange viruses except for research and not engage in computer crime, among several other rules. If verified, the virus could mark the start of a new danger for mobile devices, whose increasingly complex operating systems can be vulnerable to malware. ---------------------------------------------------------------- Richard
Guest fluffcat1 Posted March 3, 2006 Report Posted March 3, 2006 Same author as above, earlier date, different 'facts'....here it's only a p.o.c not a live virus, and this has been 'proved 'before. http://www.computerworld.com/securitytopic...,109050,00.html New virus can pass from PCs to mobile devices Security group says virus not threatening users yet News Story by Jeremy Kirk FEBRUARY 28, 2006 (IDG NEWS SERVICE) - A security group is reporting what it says is the first virus that can pass from a PC to a mobile device and then erase files. The proof-of concept virus is not yet threatening users. It was sent to the Mobile Antivirus Researchers Association (MARA), which posted its findings on its Web site yesterday. MARA said the virus came with a text file that said, among other things, "This is proof-of-concept code for educational purposes only. This virus closes the gap between handhelds and desktops, now it's one big world open to all." The virus can be a nuisance in a couple of ways. On a PC, it will copy itself into the registry repeatedly as the machine is rebooted, according to the text file sent with the virus. As the virus replicates, it can eventually hamper the machine's performance, it said. The virus waits for a connection through ActiveSync, the Microsoft Corp. program that synchronizes data on a PC with a mobile device. It copies itself to the device, and if the device is running the Windows CE or Mobile OS, all files are erased in the My Documents directory, the note said. The virus was written using C# code with Visual Studio .Net 2003. MARA said it will make the code available to antivirus companies and security experts. As of this morning, security vendors had not yet seen a sample of the code to comment on it, and Microsoft officials were not immediately available for comment. Security experts have forecast that mobile devices will increasingly be targeted by virus writers.
Guest fluffcat1 Posted March 3, 2006 Report Posted March 3, 2006 Company that claims to have 'found' it appears unwilling to share any info... Hmmmmmmmmmm..... Hoax? http://www.internetweek.cmp.com/news/181401971 By Gregg Keizer Anti-virus researchers complained Wednesday that a group claiming to have proof of the first PC-to-mobile Trojan hasn't shared the sample, a normal practice among security investigators. Monday, the Mobile Antivirus Researchers Association (MARA), which bills itself as a non-commercial collection of mobile malware researchers, said it had anonymously received malicious code it dubbed "Crossover." The sample, said MARA, could cross-infect a Windows Mobile Pocket PC from a desktop PC running Windows. According to MARA, the first-of-its-kind Trojan spreads to the mobile device via Microsoft's ActiveSync, then erases all files in the My Documents directory of the Windows CE- or Windows Mobile-based gizmo. But unlike the usual practice where virus researchers share samples, MARA's not willing to let others see the code, no-strings-attached, say some commercial researchers. They're left without a way to confirm Crossover's existence or MARA's claims, or update their own signatures to defend against the attacker. "You have to join MARA to get a sample," said Graham Cluley, senior technology consultant with U.K.-based security company Sophos. "They'll share only with members of their club." Cluley has a problem with that on several levels. "Their terms and conditions are unacceptable. For example, if we're a member, any other member can request any sample from us, and we have 24 hours to provide the source code." That step toward legalizing a gentleman's agreement irked Cluley. "The other day, Kaspersky Labs found a new Trojan. We called them up and asked for a copy, and they sent us a sample so we could add detection to our products. But as researchers, we don't have any contracts between us. We share because it's the right thing to do." Cluley also said Sophos was "nervous" about MARA because 2 of its 12 members have co-authored papers with "Ratter," a member of the infamous 29A hacker gang. In those papers, Cluley said, MARA members Seth Fogie and Cyrus Peikari "published source code of mobile and PDA viruses." Some of Fogie's and Peikari's articles have also been posted on an underground virus exchange site, Vx Heavens, said Cluley. "No member of the mainstream anti-virus community would associate themselves with virus writers, or publish virus source code," he added. In the past, MARA's Fogie and Peikari have accused that mainstream of being a "closed priesthood" which tried to keep proof-of-concept code and defensive technologies secret. Wednesday, MARA repeated those charges in an e-mail to TechWeb after declining a telephone interview. "I understand that antivirus companies may want to protect their bottom lines by limiting collaboration," MARA member Jonathan Reed wrote in his e-mailed response. "But in the end, this form of 'closed priesthood'" might not be beneficial." Nor does Reed have any sympathy for security researchers who refuse to abide by the group's terms, then complain that they can't get a sample of the Trojan. "A small number have arrogantly said, 'we're the experts, not you, so hand it over right now.'" Reed said. "Some of them have even tried to bully individual members into bypassing the proper protocol. That is unfortunate, since it would be illegal to distribute malware without a signed agreement in place. There has to be a chain of custody in place." MARA's refusal to share left Cluley wondering just what was up. "What seems really strange is that if you had proof-of-concept code for a Trojan like this, why would you send it to just MARA? If I was a virus writer, I would send it to, say, F-Secure, which has done all kinds of work on mobile viruses. I'd send it to all the known names in the business." Cluley said that the Trojan "probably" is real -- though without a sample he can't be sure -- but said the whole incident "leaves a bad taste in the mouth." "There have been lots of stories in the media about this [Trojan]," he said. "And that's driving people to MARA's Web site. But it doesn't look like the news is really helping anybody else." MARA's Reed countered that the Trojan wasn't "in the wild," and because there's no danger, anti-virus companies don't need a sample. But he held out a small olive branch. "Hopefully, we can work together to make a safer environment for all users." -------------------------------------------------------------------------------------------- Key point: "MARA's Reed countered that the Trojan wasn't "in the wild," and because there's no danger, anti-virus companies don't need a sample. " Richard
Guest fluffcat1 Posted March 3, 2006 Report Posted March 3, 2006 (edited) Ok thanks for the info 30 seconds checking on google was all I did. No biggie. Remember, google is your friend when creating news stories. ;) Edit - shoot, even MSmobiles had it up a week ago and played it down...not like them *at all*....... :shock: http://msmobiles.com/news.php/4962.html Richard Edited March 3, 2006 by fluffcat1
Guest mike-oh Posted March 3, 2006 Report Posted March 3, 2006 That 'virus' screen would make a nice homescreen tho ;) **note to self** keep off topic comments to off topic
Guest fluffcat1 Posted March 3, 2006 Report Posted March 3, 2006 That 'virus' screen would make a nice homescreen tho ;) I was thinking that as well ;) Richard
Guest beersoft Posted March 3, 2006 Report Posted March 3, 2006 Its not a virus, a virus doesnt need .net cf installed when i posted about it on msmn last week, i almost didnt bother It's not even written in a real programming language (real languages don't need extra dll's installed before hand) so i suppose in a few years time someone is going to have written a real virus that infects files, duplicates itself and actualy does things pc viri have been doing for 10 years or so later Owen
Guest Tech Posted March 3, 2006 Report Posted March 3, 2006 (edited) shocking news people who have nothing better to do than this - terrible. lucky thanks before hand for anti virus software for mobile devices ;) really should make everything readonly on the my docs folder or put it on a miniSD card :( personally I wouldnt classify it as a virus as all it does it remove files - easily done in code - virus would do other things such as infect files, make a device act unusual etc.. etc... you could say its just a ... "thing" ... not quite a virus... more of a file tamperer but thats just me ;) Edited March 3, 2006 by Tech
Guest mini_man Posted March 3, 2006 Report Posted March 3, 2006 30 seconds checking on google was all I did. No biggie. Remember, google is your friend when creating news stories.It was submitted news so i acted on it EDIT I forgot to mention him That 'virus' screen would make a nice homescreen tho **note to self** keep off topic comments to off topic heh heh that made me chuckle
Guest beersoft Posted March 3, 2006 Report Posted March 3, 2006 its less of a virus and more like a .net app that copies another .net app onto your device and deletes random stuff, and you still need to run it when it appears on the device. anyone here thing running random unsigned code from unknown sources is still a good thing? later Owen
Guest fraser Posted March 6, 2006 Report Posted March 6, 2006 Hmm, every day I believe more in the conspiracy theory that anti-virus companies are the ones making the viruses for the pocket pc. You see, this is the FIRST ONE. Yet, several companies are already selling anti-virus solutions and have been for six months. I've actually blasted them on a few high profile tech sites for this, as they are essentially ripping people off. Lost a bit of slashdot karma int he process... ;) Then suddenly a virus comes along? That no one has details about? But what gets me most is that it comes from, WAIT FOR IT: Mobile Antivirus Researchers Association (MARA)? Let me get this straight guys, just so were are all clear. If there were NO viruses, there would be no point in your organisation, right? And in order to see the code for this "virus", you have to join their group? If there weren't children here, I'd tell them where to stick their bull PR campaign maskeraiding as a genuine threat. "Mobile Antivirus Researchers Association" indeed. 50 years ago they would be selling snake oil. I'd bet they also have a homeopathic medicine division. This is NOT how anti-virus groups normally behave. Sign up to get access, unbelievable!!! I believe there is a problem with children flying kites. I'm starting a "light children should not fly kites organisation". We are planning on attaching 50 helium balloons to a ten year old in order to get some good media exposure next weekend. For information on how to protect YOUR children, sent £10 to .......
Guest pookiecheeks Posted April 7, 2006 Report Posted April 7, 2006 hello all, i said on a different thread a few weeks ago about how i wasn't sure if i was wise, or a fool rushing in by buying airscanner's mobile security suite... having read this thread i'm starting to think i'm just a wise fool, lol. pookiecheeks airscanner webpage
Guest Confucious Posted April 10, 2006 Report Posted April 10, 2006 Virus checkers for PPCs seem to have no effect other than to slow down the PPC. A waste of money IMHO.
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now