We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors—it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers).
After analyzing the sample, we discovered it contained many interesting payloads. So, we executed it on a test smartphone to see the threat in action. It started with an error message box:
Image 1: It begins with this message box.
A few minutes later, the phone started feeling lonely and decided to call someone:
Image 2: A phone call is started automatically.
The call is to 1860 and lasts a few seconds. 1860 is a toll number that differs between telephony providers, but is often directory services. The compromised phone will dial this number approximately every 11 hours, so pay close attention. If your phone gets infected by this worm, you may receive a very high bill next month!
Eventually PMCryptic got bored and decided to change its look:
Image 3: The phone starts cycling through different combinations of colors. This is just one of the many combinations!
Woah! The system colors started changing randomly, making it more difficult to actually analyze the phone. Unfortunately, the color party was over pretty soon, and the phone set itself to a black theme. This is what the phone looked liked in the end:
Image 4: “Fade to black” goes the smartphone.
Dead. Well, the phone was actually working, but I could not see anything I was clicking. And, a restart did not help, the color stayed black.
Also, for each payload, the worm seems to create a thread and therefore saturates the smartphone capacity pretty quickly. I often experienced system delays and unresponsiveness, forcing me to restart the device:
Image 5: These files have been created by the worm. Notice how the files’ dates and sizes seem to be random.
The worm isn’t just a nuisance. It also copies itself in a polymorphic fashion to flash storage cards and the Windows directory. Each replication will have a different size and MD5, and will also use a randomly created date time stamp. The worm will choose random existing folders on the device, enable the hidden attribute for them (so they will not be visible in the file explorer), and then create a copy of itself with the same name as the hidden folder(s). The icon of this worm is the icon of a folder, so its very easy to be tricked into thinking you are seeing the actual folder and not an executable file. When these files are clicked, they will run and display the content of the folder they are trying to mimic, in order to deceive the user into believing he or she actually clicked a folder and not a file.
Having hidden folders causes an unintended side-effect: the “Today” screen can’t show some of the folders anymore, therefore it shrinks in size:
Image 6: Where did the menu items go?
You can see that the main menu behind the message box is smaller than it should be (you can check Image 1 above to see how the menu might normally look). The same also applies to the Start menu. This is already annoying, and the best part is yet to come.
Time to go for deeper analysis! During the tests, several new generations of the worm were generated, so I compared them and it was pretty easy to spot the differences. First, the worm appends random data to itself at every generation, so that the file size will be slightly different from each other copy of the worm. Second, the worm changes almost all of its code, leaving unchanged the various data sections. As one can imagine, the code has a common stub that will decrypt the real viral part of the worm.
In fact, the first 400 bytes of the code section contain a small loader, which will decrypt the following bytes. It is also interesting to note that these bytes are interwoven with randomly generated junk instructions, in order to make everything more dynamic and messy. The encryption scheme is a simple XOR operation with a repeating 8 bytes long key. So, every generated worm will have random appended data, a common loader that has random junk instructions, and a block of encrypted code—where the encryption key is random in every generation. This makes every generated worm different from its other brothers both in size and MD5. The encryption is also not unique: there are three different layers of encrypted data that need to be undone before you can actually see all the original code.
Once decrypted, the analysis is quite straight forward, all the described functionality was observed in the code:
Image 7: Here is the viral code responsible for the ghost phone call.
For an ARM threat, this is very interesting! Once all of the worm executables have been deleted, one still has to unhide the folders on the file system and return the system colors back to their default values. Unfortunately, WinCE does not provide, by default, tools for doing this, so it is likely that an infected user will need to download and run third party tools in order to bring order back to the compromised device.
Always apply the following general precautions and you will avoid many painful troubles:
1) Pay attention to what you are running.
2) Pay attention to the storage cards you are plugging into your phone.
* Note: Thanks to Eric Chien for his precious help during ARM analysis and our friends at Kasperksy for providing a sample.