Cabir authors create first Windows Mobile virus

Posted on 19 Jul 2004 at 09:40

A notorious group of virus writers have targeted another mobile operating system with the first virus for Microsoft's Windows Mobile platform.

Moscow-based anti-virus experts Kaspersky Labs says it has analysed a virus called Duts that infects the Windows Mobile operating system used in PDAs and mobile phones.

The company says it believes the virus to be written by Ratter, the pseudonym of a member of the virus-writing group 29A who were also behind last month's Cabir - the first mobile phone virus on the Symbian platform, which spread via Bluetooth wireless links.

Duts can spread over the Internet, email, by synchronising with a desktop or other device, or via Bluetooth. If the file - barely more that 1.5KB - is launched, a dialog box appears that asks: 'Dear User, am I allowed to spread?'

If the user clicks yes, then Duts will append itself to all files in My Device (the root directory) and tags infected files to mark them as such. However, the virus appears to be merely proof of concept in this instance and has no further destructive effects.

'Duts ... demonstrates that Windows Mobile is vulnerable to infection. Our tests show that the virus can effectively propagate in such an environment,' said Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Labs. 'However, we don't expect a major outbreak - Duts is unable to spread independently, only infects a limited number of files, and signals its presence in the system when attempting to propagate.'

But why all this sudden interest in mobile platforms from virus writers? Denis Zenkin, Head of Corporate Communications at Kaspersky, told us: 'Writing viruses for mobile platforms does not really differ from traditional PC platforms. The same development tools, same programming languages. We see two reasons why there were no such malicious programs before. Firstly, the sophisticated mobile platforms [in smartphones] are still not widely used, especially compared with desktop Windows. Secondly, the computer underground still does not have an idea how to turn mobile viruses into money or any other valuable assesment. This means lack of interest in these platforms from virus-writers.'

You might think that lightweight nature of mobile devices would make it more difficult to write the blended viruses that we see on the desktop, which can contain Trojans and SMTP email engines for example. But again, Zenkin has a worrying outlook. 'Theoretically it does limit the destructive payload. However, modern mobile devices are powerful enough to support even very comprehensive malicious programs like backdoors,' he said.

And as computers and mobile phone technology converge, the options for virus writers just get broader. Zenkin suggested: 'It is possble to create so-called "one way" multi-infectors. In other words, Windows viruses that inject a Windows Mobile virus to a mobile device during syncronisation and vice versa.'

Kaspersky said: 'The events of the past month are really disturbing. The computer underground has pounced on the new opportunities offered by mobile devices. And now malicious programs are evolving in yet another direction, bringing the first global outbreak caused by a mobile virus closer and closer.'

Author: Matt Whipp