Mobile Executable Compressors - Hide and Seek 2.0 for Lilliputians
On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:
10 Download executable compactor
20 Pass existing malicious code through it
30 Release on Internet
40 Wait for signature to be added to antivirus
50 GOTO 10
This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat Report previously). But what about the mobile world? Believe it or not, there are several executable compressors out there – one for Symbian and three for Windows Mobile/CE..
The Symbian Example is called ECompXL. It was written around the era of Symbian 7 and provided basic compressed executable support. For Windows Mobile, Nicolas Brulez discussed one at Virus Bulletin 2005 but to our knowledge never released it (he’s doing a talk on how to unpack a number of these at Virus Bulletin 2007). There is, of course, the open source UPX. And for commercial offerings, there is PPC-Protect (although their Web site now seems defunct), diProtector & diPacker.
The advent of Symbian 9, and its requirements on signing, mean that attackers are likely to use executable compactors (once one is developed) for unsigned malicious code (i.e. heavily restricted in terms of functionality). For Windows CE and Mobile and varying configurations out there in the market, we are more likely to see malicious code authors employing similar techniques to those that have been previously observed on the desktop.
This time, we plan to be ahead of the curve…