Tuesday, February 28, 2006

MARA Discovers First PC to Handheld Crossover Malware

MARA Discovers First PC to Handheld Crossover Malware

This was the tittle of a news published recently in AximSite. I would like to reproduce here a fragment (italics) of that news:

Originally Posted by hnelson59
The crossover virus was written in C# (C Sharp) using Visual Studio .NET 2003, and the Communications Library of openNETCF.org.

What a lame!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
The communication library of opennetcf.org is super but it's 48kb. On top of that the virus needs two files at least: the executable and that library to work. Analyzing all this info provided by MARA, I could recreate the whole process with just one EXE and with a lot less KBs. A proof of that is that in my latest Tweaks2k2 PC Edition I decided not to use the OpenNETCF dll and stay with just one EXE.
But again... these kind of viruses are for stupid guys. There is not need for any antivirus to be safe against these kinds of viruses. Just use a common sense every time you receive an attachment and you will be completely safe. Just remember one thing. Your PPC is slow and it will run slower if you have an AV installed on it checking for these "viruses for Stupid guys".

How these Virus Creators work?
1- they create virus looking for fame
2- fame comes with a huge number of Computers, PPCs or SPs or Phone damages
3- No Huge damage, no fame, so why to create a virus?

Now, if you understand my 3 above mentioned points it's easy to understand why the PPC and SP worlds are not yet attractive grounds for viruses creators.
1- it's almost impossible at this point to create a virus capable of self-infecting PCs and PPC and SP at the same time. To write a virus capable of replicating (infecting PCs without the need of human intervention) you need a more powerful language than .NET.
2- If you create that kind of virus then you will find that it wont run CE because it was not compiled for this OS.
3- if you can create a virus that can infect PCs by itself you need to create a worm and send it by email. What is the possibility of your email reaching a stupid guy that opens it? On top of that, what is the probability of that that stupid guy has a Pocket PC or SP. This cut the whole % of success to very tiny amount. And remember what I say, fame comes with a huge amount of casualties. No casualties no fame, then why I should spend my time in writing something that difficult.

Knowing how hard is to write that kind of virus capable of reaching a huge amount of victims and how low is the probability of finding a Stupid guy owning a Pocket PC (to own a PPC you need money and you need to be a geek) I wont bother at all to spend even a minute into that idea.

Thursday, February 16, 2006

More about WM5 Security

More about WM5 Security

This comment was originally posted in PocketPCThougths forum. I thought that would be a good idea to publish it here due to the fact that I have been talking about this issue since WM5 was released.

“It's definitely a dark day and a pivotal point in the CE platform...Read on if you are a small developer.

We switched from Palm development to Windows CE development a few years ago for precisely this reason: that Palm put up too many barriers for developers. It's one of the reasons we predicted the Palm platform would die -- and this was back in their heyday (about 2001). We new Microsoft would win out because they made things so free and easy for developers. Its the rich and diverse choice of 3rd party apps, as much as the platform itself, that seems to drive the success of CE.

Now, however, Microsoft apparently thinks they have enough momentum and market share to pull back on the free development tools. Maybe they are right.

But the cost of a "legal" copy of VS2005 will now exceed the modest income some small developers make on their apps. It's going to drive a lot of good, solo programmers out of the CE platform for good.

But there is another problem. WM5.0 now has it's most intimate parts "locked" so that some apps require a signing certificate from Verisign in order to run. And to get a Verisign cert you have to buy signing tokens at $400 for a 10-pack. That means if you have a fairly complex app with several DLLs, .exes, etc., it's going to cost you hundreds of dollars for each version you release!

What's worse is that to even test the app on your device, you have to buy these signing tokens. You can try using the SDK cert to test on the emulator, but that only works on the emulator. You can't use it on the actual device. And you know the emulator can be useless for testing network apps. So you have to spend your precious, expensive certs just on test versions. You could easily run up hundreds if not thousands of dollars more at this point.

Oh I almost forgot...after you buy the Verisign tokens, you still can't get a privileged cert unless you go ask Microsoft to approve it. And for this they require you to first "logo certify" the app with a 3rd party test partner like QualityLogic. That's going to cost you another $500 bucks.

As bad as all the expense is, there may be a worse feature: developers now depend on Microsoft in order to survive. Because they can revoke your privileged cert at any time!

Security expert Bruce Schneier wrote about the dangers of forced signing way back in 2001. Just imagine if you desktop PC could only run signed apps. You would not be able to run any of the great freeware that independent developers put out. It would certainly kill much of Microsoft's market share in the PC space, and would drive consumers to Linux. In short, it's unthinkable. So why are they enforcing signing on the Windows Mobile platform, which is still young and less likely to withstand the blow?

As a small developer you are between a rock and a hard place. Windows Mobile development is now trapped between the prohibitive cost of VS2005, and the restrictive forced signing of WM5.0.

Slightly bigger companies will be able to survive. Many small developers won't. And when the smaller developers die out, there will be no pressure on bigger companies to write good software. Why should they? All their good competitors -- the independent developers -- are now out of business.



Winner -- Best Security Software 2005

Smartphone and Pocket PC Magazine”