On the desktop we have many different executable compactors, compressors and encryptors. These are used to protect and/or obfuscate binary files. These can be employed by software authors and malicious code authors to protect their code from reverse engineering (though, typically in vain). A while back, we saw a surge of malicious code authors using these tools to obfuscate their code against signatures. It became a case of:
10 Download executable compactor
20 Pass existing malicious code through it
30 Release on Internet
40 Wait for signature to be added to antivirus
50 GOTO 10
This got a bit boring for antivirus vendors like Symantec, so we introduced executable decompression support to our AV engines (as discussed in the Internet Security Threat...
With the advent of Symbian 9 came a new capabilities model that could be seen as akin to mandatory access control, or MAC, which I’ve touched on briefly in the past . If you’re interested more in the Symbian 9 capabilities model, I recommend you go read the Embeddec.com article or purchase a copy of Symbian Platform Security Development Architecture from Symbian Press.
FlexiSpy is spyware program that runs on either the...
Some of us (Ollie Whitehouse, Eduardo Tang, and myself) are happy owners of the iPhone. However, not because we are constantly listening to music or using a pinching motion with our fingers to see pictures zoom and shrink, but because we get to analyze the attack surface. While the iPhone itself will surely evolve via new models, software, and patches, this blog will consist of a rundown of our initial thoughts.
In the default out-of-the-box configuration for the average user, you can not run code on the device. This makes the platform less risky than other mobile platforms and desktop operating systems like Windows. If you can't run code, you can't run malicious code. Further, the AJAX/Web 2.0 applications that can utilize the phone's services (such as the ability to make calls) normally prompts the user before the action takes place. This prevents automatic dialing and things like SMS worms.
If you Google for either "Windows CE", "Windows Mobile" along with "rootkits" [1] [2] you don’t find anything on the subject. Back in the early part of this year I started a little skunk-works project (which resulted in an internal whitepaper) to understand the techniques that could be employed in rootkitting Windows Mobile devices, and how you would detect them if the bad guys got nasty and started doing so.
The results were, in short, not surprising. There are publicly known methods of API hooking on Windows CE. There is a publicly released keyboard logger in the compact .NET framework and there are numerous ways to load/inject DLLs into other processes. And, of course, direct kernel object modification is also possible.
The caveat about some of these methods and techniques is that your process needs to be fully trusted in order to weave its magic. So in a properly configured one-tier device that requires signing, or...
