Copy Link
Add to Bookmark
Report
Xine - issue #5 - Phile 118
Ú-----------------------------¿
| Xine - issue #5 - Phile 118 |
À-----------------------------Ù
Ú--ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ--¿
: PalmOS viruses by ULTRAS [MATRiX] :
À--ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ--Ù
------´ Introduction Ã------------------------------------------------------
In given articles I shall describe the theory about viruses for a platform
Palm, all my researches about a beginning of June 2000. As I shall describe
all problems of viruses for Palm, as them to make more distributed, as well
as that is necessary to make to not involve(attract) attention of the user
to a virus.
It simply theory which should force virmaker which wants t o write a virus
for PalmOS to write it very cautiously and to make it more hardy.
------´ Is a Palm OS virus possible? Ã--------------------------------------
Yes the viruses under Palm are possible(probable). Whether exist viruses for
Palm? Yes certainly exist - 1 virus, 1 trojan which in my opinion the
company mcafee (I has written antivirus there is no time did not respect
this company).
As it is the company only it is known by the stupid scanner and certainly
they do not have sales they and have made AV under Palm and in 2 days there
was a first virus. All this is very strange...
To me set questions why virmaker do not write viruses under Palm? In my
opinion the viruses should be written on assembler, as this language is not
similar on PC assembler the time that to it to get used is necessary.
The viruses under Palm soon will are very popular only it is necessary to
find the best approach to a spelling them.
------´ RAM memory Ã--------------------------------------------------------
The first obstacle is the way Palm Pilots store data and binaries.
Currently, Palm Pilots store all of their data and binaries in RAM. As most
of you know, RAM will lose its contents once it becomes deprived of
electricity. This is one of the primary reasons why it is an absolute must
to backup your data to your PC/MAC. How does this fact pose as an obstacle?
First off, the fact that batteries do eventually run out will limit the
amount of time a virus would have to spread. The virus would have to infect
as many executables as possible. It seems that to me almost probably when at
user has from 5 up to 8 megabytes of RAM. Though there are a heap of the
users at which only programs, necessary to them, and any documents.
The virus for Palm means should be as small as possible and test memory we
shall suffice it RAM memory for distribution.
------´ Problem of distribution Ã-------------------------------------------
Many users download of the program from internet in PC/MAC (leave backups a
copy of the program) and then only loading in Palm. It means if to exchange
the program that only with PC/MAC of the computer instead of with Pilot.. In
it a problem. Well there are other users which do not store(keep) on PC/MAC
backups of a copy to us it is necessary to be adjusted on such users.
þ Space - Pilots tend to have memory constraints. Pilot memory size ranges
from 1 megabyte to 8 megabytes. Developers will prefer to have alot of
storage space, so the logical choice is using a PC/MAC. Hard drives for
PC's/MAC's now have storage space that falls in the gigabyte spectrum.
þ Speed is a very crucial factor. As a matter of fact,even more crucial than
on a PC/Macintosh. On a PC/MAC, the user usually won't mind waiting a minute
or two for a program to load. But on a Palm Pilot, if a virus causes the
program to take any longer than about 10-20 seconds, the user isn't going to
be happy. Our user will simply need to wipe out all executables and reinstal
fresh copies.
þ In many Pilot not so there are a lot of programs and at some users these
programs can be counted on fingers and occurrence of the new program (if you
want the user will write worm) to look her and if that that will find in her
faster all it is the program will be removed.
All these problems are necessary are to taken into account and to made by
(with) a virus more hardy, so that it had many ways of distribution.
------´ ROM File problem or new infection? Ã--------------------------------
Although RAM memory will eventually lose its contents, flash ROM won't.
Flash ROM is basically ROM memory that retains data after the power is gone
and can be read from and written to. The Palm OS itself is present in the
Flash ROM chips. The possibility that a virus could infect the flash ROM
definately exists.
If we can pathing ROM a file that we almost resident... We shall have many
opportunities...
ù Flash ROM will retain its data after the batteries run out
ù We receive many opportunities of work with files
ù The virus cannot be removed. The standard user can not it make.
But at this way is much and lacks:
þ If the virus doesn't infect the flash ROM properly, the ROM may no
longer work and even if it does, the user will experience serious
problems and will get a program that will replace the flash ROM.
þ Even if the virus does infect the flash ROM correctly, the virus
will be incompatible with future Palm OS upgrades. For example,
suppose this virus manipulates the section of the ROM that handles
files. The virus manipulates it in such a way that whenever an
executable is run, it will run first, infect the host and then
transfer control of the processor to the original code. In a
future Palm OS upgrade, who knows what this virus will be
manipulating!! It could wind up manipulating the code that draws
graphics. And since it was designed to manipulate the file
handling code, it will mess up the graphics drawing code, if it
does not check for this. The check is implemented so that the
virus will not manipulate if the file handling code is no longer
there.
þ There is very much plenty ROM of files they almost all different
for the different versions PalmPilot... It is almost impossible
patching all ROM files...
þ As the user can install new Rom a file or updating it.
------´ PalmPilot W0rm Ã----------------------------------------------------
Since a worm is basically another self contained Pilot application, there
areproblems with visibility. For example, suppose the worm intercepted
Hotsync operations so that whenever a Hotsync occured, the worm would also
be transferred. The user is going to notice something strange when he/she
sees a program being transfered that they never even knew about. Furthermore,
once our user peeks into his backup directory, he'll see a PRC file that
isn't supposed to be there. In this case, the PRC file is the worm.
The worm would need some way of hiding itself from that list of applications.
The first thing that comes to mind is the application type.Within any PalmOS
application,normally the application type will have the four character name:
Appl. If this name is something else, the program will not show up in the
applications list. Furthermore, the program will not be runable by normal
means. It would have to be started by another program.
I am not sure if this is possible. Theoretically, one c ould make a program
that will change the application type of another program. If this is
possible, this would be one great way for a worm to hide itself. In this
case, the following will h appen once the worm gets run: (All theoretically)
ù 1. Changes the application type of another program
ù 2. Renames itself to the name of the victim program
ù 3. Steals the other program's icon
From the user's point of view, the original program appears to be on the
list. When the user taps on the worm's icon, the worm will first do whatever
it wants and then will pass control to the original victim. The user
wouldn't notice a thing.
A worm can be setup to check the launch code to see if a Hotsync is starting
up. If so, our worm can make sure that when the Pilot is transfering data to
the PC/MAC, the worm will be transfered too.
------´ API patching Ã------------------------------------------------------
It is a little the small theories.... Now I will explain trap patching. Palm
OS applications typically will call API routines. An API routine is simply a
chunk of code, usually within the Palm OS itself, that will perform a
specific task, such as: drawing a line, displaying text, sound generation,
etc.
What does this have to do with trap patching? A PalmOS application must
generate a trap #15 exception. This basically halts the processor in its
tracks, and then control of the processor will be transfered to the part of
the PalmOS which will check what API is being called. Next PalmOS will
transfer control of the processor over to the appropriate API routine. How
does the system find the location in the flash ROM to transfer control to?
It will check a table of addresses for each API routine and from there does
the rest.
Trap patching is the process of going to the table of addresses, changing
the address to a particular API routine, and changing that address to point
to where the worm is located in memory. What part of the worm shall have to
control transfered to it ? It`s "trap handler". The trap handler is
responsible for doing whatever action is necessary and then giving control
of the processor to the original API routine.
It not my idea she very simply has liked to me I has decided her to publish
in thiz articles.
------´ Last Word Ã---------------------------------------------------------
I still back to a theme of distribution of a virus for Palm, most likely in
e-zine MATRiX#3. A thank large that you read this clause I shall wait anyone
the comment and requests new of ideas.
PS: Asmodeus/iKx - yeah palm it`s kewl....
email : ultras_@hotmail.com
mTx url : www.matrixvx.org
my url : www.coderz.net/ultras
irc : undernet #virus, #vir, efnet #virus, #coders.ru
from Russia with love !!!
Moscow, 28 September 2000
ULTRAS [MATRiX]
