ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Xine - issue #5 - Phile 118 ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÚÄÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÄ¿ : PalmOS viruses by ULTRAS [MATRiX] : ÀÄÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÄÄÙ ÄÄÄÄÄÄ´ Introduction ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In given articles I shall describe the theory about viruses for a platform Palm, all my researches about a beginning of June 2000. As I shall describe all problems of viruses for Palm, as them to make more distributed, as well as that is necessary to make to not involve(attract) attention of the user to a virus. It simply theory which should force virmaker which wants t o write a virus for PalmOS to write it very cautiously and to make it more hardy. ÄÄÄÄÄÄ´ Is a Palm OS virus possible? ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Yes the viruses under Palm are possible(probable). Whether exist viruses for Palm? Yes certainly exist - 1 virus, 1 trojan which in my opinion the company mcafee (I has written antivirus there is no time did not respect this company). As it is the company only it is known by the stupid scanner and certainly they do not have sales they and have made AV under Palm and in 2 days there was a first virus. All this is very strange... To me set questions why virmaker do not write viruses under Palm? In my opinion the viruses should be written on assembler, as this language is not similar on PC assembler the time that to it to get used is necessary. The viruses under Palm soon will are very popular only it is necessary to find the best approach to a spelling them. ÄÄÄÄÄÄ´ RAM memory ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ The first obstacle is the way Palm Pilots store data and binaries. Currently, Palm Pilots store all of their data and binaries in RAM. As most of you know, RAM will lose its contents once it becomes deprived of electricity. This is one of the primary reasons why it is an absolute must to backup your data to your PC/MAC. How does this fact pose as an obstacle? First off, the fact that batteries do eventually run out will limit the amount of time a virus would have to spread. The virus would have to infect as many executables as possible. It seems that to me almost probably when at user has from 5 up to 8 megabytes of RAM. Though there are a heap of the users at which only programs, necessary to them, and any documents. The virus for Palm means should be as small as possible and test memory we shall suffice it RAM memory for distribution. ÄÄÄÄÄÄ´ Problem of distribution ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Many users download of the program from internet in PC/MAC (leave backups a copy of the program) and then only loading in Palm. It means if to exchange the program that only with PC/MAC of the computer instead of with Pilot.. In it a problem. Well there are other users which do not store(keep) on PC/MAC backups of a copy to us it is necessary to be adjusted on such users. þ Space - Pilots tend to have memory constraints. Pilot memory size ranges from 1 megabyte to 8 megabytes. Developers will prefer to have alot of storage space, so the logical choice is using a PC/MAC. Hard drives for PC's/MAC's now have storage space that falls in the gigabyte spectrum. þ Speed is a very crucial factor. As a matter of fact,even more crucial than on a PC/Macintosh. On a PC/MAC, the user usually won't mind waiting a minute or two for a program to load. But on a Palm Pilot, if a virus causes the program to take any longer than about 10-20 seconds, the user isn't going to be happy. Our user will simply need to wipe out all executables and reinstal fresh copies. þ In many Pilot not so there are a lot of programs and at some users these programs can be counted on fingers and occurrence of the new program (if you want the user will write worm) to look her and if that that will find in her faster all it is the program will be removed. All these problems are necessary are to taken into account and to made by (with) a virus more hardy, so that it had many ways of distribution. ÄÄÄÄÄÄ´ ROM File problem or new infection? ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Although RAM memory will eventually lose its contents, flash ROM won't. Flash ROM is basically ROM memory that retains data after the power is gone and can be read from and written to. The Palm OS itself is present in the Flash ROM chips. The possibility that a virus could infect the flash ROM definately exists. If we can pathing ROM a file that we almost resident... We shall have many opportunities... ù Flash ROM will retain its data after the batteries run out ù We receive many opportunities of work with files ù The virus cannot be removed. The standard user can not it make. But at this way is much and lacks: þ If the virus doesn't infect the flash ROM properly, the ROM may no longer work and even if it does, the user will experience serious problems and will get a program that will replace the flash ROM. þ Even if the virus does infect the flash ROM correctly, the virus will be incompatible with future Palm OS upgrades. For example, suppose this virus manipulates the section of the ROM that handles files. The virus manipulates it in such a way that whenever an executable is run, it will run first, infect the host and then transfer control of the processor to the original code. In a future Palm OS upgrade, who knows what this virus will be manipulating!! It could wind up manipulating the code that draws graphics. And since it was designed to manipulate the file handling code, it will mess up the graphics drawing code, if it does not check for this. The check is implemented so that the virus will not manipulate if the file handling code is no longer there. þ There is very much plenty ROM of files they almost all different for the different versions PalmPilot... It is almost impossible patching all ROM files... þ As the user can install new Rom a file or updating it. ÄÄÄÄÄÄ´ PalmPilot W0rm ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Since a worm is basically another self contained Pilot application, there areproblems with visibility. For example, suppose the worm intercepted Hotsync operations so that whenever a Hotsync occured, the worm would also be transferred. The user is going to notice something strange when he/she sees a program being transfered that they never even knew about. Furthermore, once our user peeks into his backup directory, he'll see a PRC file that isn't supposed to be there. In this case, the PRC file is the worm. The worm would need some way of hiding itself from that list of applications. The first thing that comes to mind is the application type.Within any PalmOS application,normally the application type will have the four character name: Appl. If this name is something else, the program will not show up in the applications list. Furthermore, the program will not be runable by normal means. It would have to be started by another program. I am not sure if this is possible. Theoretically, one c ould make a program that will change the application type of another program. If this is possible, this would be one great way for a worm to hide itself. In this case, the following will h appen once the worm gets run: (All theoretically) ù 1. Changes the application type of another program ù 2. Renames itself to the name of the victim program ù 3. Steals the other program's icon From the user's point of view, the original program appears to be on the list. When the user taps on the worm's icon, the worm will first do whatever it wants and then will pass control to the original victim. The user wouldn't notice a thing. A worm can be setup to check the launch code to see if a Hotsync is starting up. If so, our worm can make sure that when the Pilot is transfering data to the PC/MAC, the worm will be transfered too. ÄÄÄÄÄÄ´ API patching ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ It is a little the small theories.... Now I will explain trap patching. Palm OS applications typically will call API routines. An API routine is simply a chunk of code, usually within the Palm OS itself, that will perform a specific task, such as: drawing a line, displaying text, sound generation, etc. What does this have to do with trap patching? A PalmOS application must generate a trap #15 exception. This basically halts the processor in its tracks, and then control of the processor will be transfered to the part of the PalmOS which will check what API is being called. Next PalmOS will transfer control of the processor over to the appropriate API routine. How does the system find the location in the flash ROM to transfer control to? It will check a table of addresses for each API routine and from there does the rest. Trap patching is the process of going to the table of addresses, changing the address to a particular API routine, and changing that address to point to where the worm is located in memory. What part of the worm shall have to control transfered to it ? It`s "trap handler". The trap handler is responsible for doing whatever action is necessary and then giving control of the processor to the original API routine. It not my idea she very simply has liked to me I has decided her to publish in thiz articles. ÄÄÄÄÄÄ´ Last Word ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ I still back to a theme of distribution of a virus for Palm, most likely in e-zine MATRiX#3. A thank large that you read this clause I shall wait anyone the comment and requests new of ideas. PS: Asmodeus/iKx - yeah palm it`s kewl.... email : ultras_@hotmail.com mTx url : www.matrixvx.org my url : www.coderz.net/ultras irc : undernet #virus, #vir, efnet #virus, #coders.ru from Russia with love !!! Moscow, 28 September 2000 ULTRAS [MATRiX]