|
This is the second of a two-part series that will attempt to establish to what degree Palm OS-based systems represent a suitable platform for malicious code. The first article examined the operating system in general, as well some of the types of malicious code that could be used to infect Palm OS platforms. This installment will look at file system viruses, non-overwriting link viruses, compressing link viruses, existing Palm OS malware, and virus scanners for Palm OS.
File System Viruses
When looking at the operating system in the context of malicious code, the file system and the structure of the files are important areas to look at. The file system is heavily inspirited by databases and offers a suitable number of functions to access files. Actually Palm OS refers to “databases” instead of files, but for the sake of clarity I keep refer to them as files. The simplest form of malware is direct action malware. For this simple type of malware it is important to select a target that matches a certain pattern. Direct action malware hereby means that the malicious code attains control, performs its operations and exits again. No residency operations or later steps are performed by this class of malware.
Palm OS offers the functions DmGetNextDatabaseByTypeCreator() and DmNumDatabases(), which enable a malicious code to select a target (for example, all databases that are marked as applications). Furthermore Palm OS offers simple functionality to modify files (such as using DmWrite() functionality) and to delete files (as indicated by the DmDeleteDatabase() function).
Virus writers can use this kind of functionality, and a well-structured file format could encourage the creation of link viruses. Is it possible to change the start address/position of a program so that a malicious code can be executed before the original host code will be executed? At this point we focus on the file format for PRC files (PRC = Palm Resource), which is pretty simple. Every file starts with a Palm Database Header. This header contains information such as the creation date, attributes and information about the creator. At the end of the Palm Database Header the Record List, which describes the number of records, can be found. This Record List is followed by the Resource Entries. The Resource Entries describe type, location and size of a single resource. Typically the resource with type “code” and id “1” is the first resource, which contains the entry point for the code.
The resource with type “code” and id “1” / ”0” is clearly the easiest attack point for malicious codes. An overwriting virus could simply overwrite this special resource to get control (e.g. using the DmWrite() function). Furthermore, it is possible to extend this resource to place additional code within this critical region (e.g. using DmResizeResource() function).
Finally, the Palm OS directly allows a virus to manipulate selected resources without the need to correct headers and so on in the files. These operations, which are typically found in viruses on other platforms, are automatically handled by Palm OS.
The file system offers all functionality necessary to develop malicious code, which is able to replicate.
Speaking of the possibility to scan Palm OS PRC files on different platforms, the straight forward structure of the PRC file format without special markers or general identification points result in slight problems for AV solutions (e.g. there are no “MZ”/”PE” markers as found within Windows PE files).
If they are confronted with Palm OS PRC files, the scan engines can only guess,. Following marks can be used to identify a Palm OS PRC file:
- offset 0x00 (32 bytes): This array contains the null terminated name of the database.
-
offset 0x3c (04 bytes) : The filetype will be described here. It can be expected to detect an “appl” string here.
If these weak markers have been found, the Record List and corresponding structures need to be parsed to finally identify a Palm OS PRC file. This can also include a generic check for MC680x0 opcodes.
The following techniques could be implemented in future malware, when looking on the file system itself.
Non-Overwriting Link Viruses
The database-like file system and the reasonably easily understandable file structure encourage the development of link viruses of various types. Possible techniques could be based on extending the first “code” resource or adding an extra resource. Both techniques are directly supported by built-in functionality.
This class of virus itself without polymorphic/metamorphic stuff can typically be detected using common detection techniques like scan strings, heuristic engines and checksums. A repair of files infected by this class of viruses is usually possible.
Compressing Link Viruses
Instead of adding code (and therefore increasing the code size), it also possible for malicious code to compress parts of the host resource first, so that malicious code and compressed host will have the same size or a shorter size than before (gaps could be filled with garbage). Obviously, this technique would require deep analysis of the host file and, Eventually, the fixing of references, and not all available files would be primary targets. Routines related to compression are available in native MC680x0 assembler and can be directly assembled for the Palm OS platform.
Obviously, this is a quite complex technique, which is not likely (but still theoretically possible) to be implemented on the Palm OS platform.
On the MC680x0 platform there is only a single known virus that implements this technique, which is called AMIGA/Cryptic Essence. Viruses utilizing this class of technology can typically be detected using scan strings, heuristics and checksums. A removal routine would require a CPU emulation to decompress the compressed host components.
Entry Point Obscuring (EPO)
This technique was introduced several years ago on a variety of platforms. Early viruses replaced the entry point of a program, so that the malicious code was executed first. To scan for this kind of virus (ignoring polymorphic / metamorphic techniques) is quite simple and fast. For instance, malware utilizing EPO techniques could add its code at the end of the first code resource and replace an “RTS” (return to subroutine) operation with a branch operation. By doing this the virus scanning engines would have to parse through the complete code of the infected resource to detect the malicious branch, if a repair is wanted. Amiga/HNY97 is an example of an Mc680x0 based virus utilizing this kind of techniques.
Patching Operating System Functions
Beside the file system, it is also necessary to have a look at other vital parts of the operating system. So far we have discussed only the possibility of recursive replicating viruses, which act as direct action infectors. This means that the infected file is started; the virus receives control, performs all necessary steps and then returns code to the host. Now we will take a closer look at residency and especially at patching operating system functions.
Palm OS offers native functionality to patch all kind of operating system functions. Palm OS functions are called using traps, therefore any patch needs to modify the addresses of the internal trap tables.
Modifications can be done using the functions:
- SysGetTrapAdress()
-
SysSetTrapAdress()
SysGetTrapAdress(UInt16) returns the address of the function described by a 16-bit parameter. A patch needs to store this address, so that after performing the additional functionality the original core OS code can be called. To set a new address for a certain Palm OS function, the function SysSetTrapAdress(Uint16, void*) has to be called. In case of resident programs like AV scanners/monitors, the new address should be within a resident memory range. When letting the trap address point to an address within the current application, the memory block can be deleted after the application exited, despite the fact that a patch is installed by this application.
A memory block can be made resident by making the OS owner of the memory block (using MemSetOwner(0)).
Unfortunately, there exists no build in “patch management”, so that several projects were started to remove this disadvantage. Probably the most well-known and advanced solution is called “HackMaster”. Programs that want to apply patches have to “register” with the Hackmaster program and Hackmaster installs/manages the patch. For malicious code this is no solution, as the dependency to a third-party software is certainly unwanted.
Of course there also exists other software that patches the OS function directly. Right after the hype about PalmOS\Liberty there appeared a malicious behavior scanner called “VirusGuard”, that patches the DmDeleteDatabase() function directly and stops this way effectively the PalmOS\Liberty trojan. Generally incompatibilities between certain patches can be expected.
The following techniques could be used by malicious code:
- direct patching of OS functionality
- removing certain other patches
The second technique could be seen as “anti-AV retrotechnology”. A malicious code could remove or deactivate known AV software in memory. Similar techniques will be used on all platforms with modern malicious code (e.g. Win95/SK, Amiga/Bobek2).
Existing Palm OS Malware
There are three malicious programs existing right now:
- PalmOS\Liberty.A
- PalmOS\Phage.A
- PalmOS\Vapor.A
Additionally, in September 2001, there appeared PalmOS\MTXII, which is a simple graphic demonstration dropped by a Windows virus programmed by the Matrix VX group. This program cannot be seen as a malicious program and, as such, is not covered within this article.
PalmOS\Liberty Trojan
The PalmOS\Liberty trojan appeared in September 2000 and was hyped as the first virus for the PalmOS platform. It is definitely the first malware that appeared for the PalmOS platform, but actually the PalmOS\Phage is the first virus for the Palm OS platform.
PalmOS\Liberty.A was spread various newsgroups and IRC channels and was labeled as a crack for the famous Gameboy Emulator Liberty 1.1. The file itself is 2663 bytes long and contains only the payload. No parts of a hidden “crack” can be found in it.
After the PalmOS\Liberty Trojan receives control, it will initiate a search for databases of type “appl”, which represent applications. As long as databases of this type are found, these databases will be deleted using the “DmDeleteDatabase” function. If no more databases of type “appl” are found, the malicious code resets the system (by calling the “SysReset()” function). The trojan is written straightforwardly and can be detected easily using scan strings, checksums and heuristics.
The Palm\Phage.963 Virus
The Palm\Phage.963 virus is a simple direct action virus. Unlike the Palm OS\Liberty.A Trojan, it is a real recursively-replicating virus, although it is programmed in a simple manner. The virus consists of three resources:
- “code” resource with id 0
- “code” resource with id 1
- “data” resource with id 0
The virus first allocates memory for these resources and then reads in all these three resources. All resources are handled dynamically in own memory areas without the usage of static sizes. The virus then searches for files of type “appl” and tries to copy its code in the corresponding resources. The virus continues this process as long as it detects matching files. The aforementioned copy process is a typical overwriting process, so that the originally existing resources will be totally overwritten. First, the virus resizes the resources to match the size of the viral resources and then copies its content in the original resources.
Infected files will be only able to run the virus, the original host code still exists in parts, but is not functional anymore. By performing the infection in the manner described, the virus does not have to deal with changes of the entry point. A repair routine for this type of malware is not possible. The virus itself can be detected by scan strings, heuristics and checksums.
PalmOS\Vapor
Finally, PalmOS\Vapor.A is the last known Palm OS trojan. It enumerates all databases and deletes all the information available for this database. This selection of possible targets differs from the target selection found in PalmOS\Liberty and PalmOS\Phage. After all files have been modified in the described way, the trojan simply exits. The trojan can be detected using common detection methods like e.g. scan strings and checksums.
Virus Scanners and Palm OS
At this point the obvious question can be asked: whether or not it is worth implementing a virus scanner for the Palm OS platform. Right now I am aware of solutions offered by Symantec, F-Secure, McAfee and Computer Associates (VET). In addition to these programs there are some non-commercial solutions existing. Obviously, none of the previously mentioned solutions features code emulation or advanced heuristic techniques, but contain traditional techniques like checksums or scan string-based technology. I think this is the best way to deal with this platform for now. All existing forms of Palm OS malware can be easily detected by scan string based technologies and/or by using straight forward CRC checksums.
Additionally common Windows AV solutions like e.g. Symantec AV 8.00 are also capable of scanning Palm OS files before they are hotsyncd/transferred to the PDA.
To answer the initial question of this series, it can be concluded that Palm OS is a suitable platform for malicious code. Furthermore, it can be expected that there appears in the near future malware for this platform, which utilizes more advanced techniques than described in this article.
Markus Schmall is currently working at T-Mobile Germany in the IT Security department and can be reached at markus@mschmall.de.
|