Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Windows CE .Net vulnerability used to write first virus for Pocket PC explained
Posted on 18-Sep-2004 17:15 | Filed under: News


Windows CE .Net vulnerability used to write first virus for Pocket PC explained
Airscanner Corp. has obtained and published the complete, annotated source code to CE.Dust, the first program capable of infecting the Windows Mobile Pocket PC platform. Being a proof of concept, the CE.Dust asks the user before actually infecting the handheld. But other programs could do this without user knowledge.

Virus authors have been trying to infect Windows CE for several years. However, CE.Dust (or CE.Duts as it's known by some anti-virus companies) had to overcome some technological barriers in order to infect this platform. By publishing the source code, Airscanner Corp. hopes to help security researchers and programmers develop appropriate countermeasures.

Airscanner Corp. received the CE.Dust virus from its author at the exact same time as all other major antivirus companies. The company worked with software reverse engineering for ARM-based processors techniques, and managed to find out more about the mechanisms used by the creator to infect the OS.

Additional contacts with the virus writer allowed them to publishe the source code, along with annotation and Airscanner's background material.

However, the "coredll module" resides deep within the kernel. This is the key module that controls all of the core system processes, as well as all of the necessary ingredients for sucessful virus infection.

The CE.Dust virus exploited a clever workaround of the operating system architecture in order to gain access to the coredll module. Windows CE was designed with a protected kernel. User-mode applications are not permitted to interact directly with the kernel. This was designed to enhance the security and stability of Windows CE. Specifically, in Windows CE.Net, Microsoft has left the function "kdatastruct" acessible to usermode. This provided the key to the entrypoint of the virus. Full details of this vulnerability are provided in the annotated comments of source code listed in the article.


More information: http://www.informit.com/articles/article.asp?...







Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Trending now »

Hot discussions in our forums right now:

Recommendation for new mid-sized SUV
Created by nvpradeepkumar, last reply by Technofreak on 25-Jan-2020 22:22 (35 replies)
Pages... 2 3


Why I'm not buying Sonos again
Created by dafman, last reply by dafman on 25-Jan-2020 22:16 (82 replies)
Pages... 4 5 6


Tile trackers - a bit confused.
Created by GSManiac, last reply by GSManiac on 24-Jan-2020 22:37 (14 replies)

New Orbi Mesh System
Created by JayWehi33, last reply by Jiriteach on 24-Jan-2020 17:10 (13 replies)

Issues streaming at peak times on 2degrees UFB / Wi-Fi
Created by Mahon, last reply by Delphinus on 23-Jan-2020 23:45 (13 replies)

Is this FnP Fridge the best bang for buck?
Created by TeaLeaf, last reply by TeaLeaf on 23-Jan-2020 18:26 (27 replies)
Pages... 2


Is this EV charging alarmist headline from Norway legit?
Created by Talkiet, last reply by Scott3 on 24-Jan-2020 11:16 (22 replies)
Pages... 2


Poor VDSL speeds and poor chat experience
Created by MidnightRider, last reply by K8Toledo on 24-Jan-2020 23:49 (21 replies)
Pages... 2