Re: PocketPC exploitation

To: vuln-dev@xxxxxxxxxxxxxxxxx
Subject: Re: PocketPC exploitation
From: "Jose Morales" <mrjoemango2@xxxxxxxxxxx>
Date: Wed, 28 Sep 2005 11:16:50 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Reply-to: jose@xxxxxxxxxxxxxxxx

Ratter, thank you for your comments, everything you say is true. Now I thinkthat real life experience has taught us that it is better to protect frompossible future attacks similar to those seen in the past and avoid anoutbreak then to wait for a major vx outbreak to react and protect from ithappening a second time.

Nobody wants another nimda, codered, slammer, welchia, mydoom and bagle plusothers that have cost billions in losses and productivity time plus unknownnumbers of computers rendered useless and in need of repair. the technologyexists to protect pocket pc's againts the types of viruses seen in thedesktop world it should be incorportated into current solutions as apreemptive guard against possible future attacks. Your logic is good untila major virus outbreak occurs on PPC and people start to complain "why wasntI proctected" there is no answer for it. In the hacker world somesignificant articles have already come out no PPC vulnerabilities it is onlya matter of time before a major virus strike hits, the time to give betterprotection for PPC is now and not after an outbreak.

As for overhead on PPC placed by better antivirus solutions, this will verysoon go away, handhelds keep being releases with bigger hard drives (upto 4gigabytes last time i hear) more RAM more CPU power and overall betterperformance, clearly the bottlenecks of current embedded system securitywill very soon dissipate and in its current state they can handle strongerAV solutions that was is currently out there.

im sure airscanner.com, norton, kaspersky avast and the others can improvetheir products now given current ppc and help prevent possible major vxoutbreaks in the future.

proactive defense is better than reactive defense that is the best real lifeexperience we have learned from the past to help prepare for the future.


Yours in Success,

Jose.


********************************************************************************************
Jose Andre Morales
Computer Specialist
Master of Science in Computer Science, FIU 2004

********************************************************************************************


   From: Ratter <ratter@xxxxxxxx>
Reply-To: Ratter <ratter@xxxxxxxx>
To: Jose Morales <jose@xxxxxxxxxxxxxxxx>
CC: vuln-dev@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: PocketPC exploitation
Date: Fri, 23 Sep 2005 14:34:31 +0200

JM> I would like to contribute to the list a paper i just had published that

JM> discusses the vulnerabilities of current virus detectors for pocketpc's, itJM> is scary to think that such simplistic detectors are the current stateofJM> the art for such powerfull devices, it leads one to think that thelessonsJM> of the past have not been learned, feedback on the paper is appreciatedand

JM> welcomed, i hope it helps those interested in this area of research feel
JM> free to contact me.
OK, here's the feedback. You're creating unnecessary havoc. There are
AFAIK two or three pocket PC viruses/trojans. One is done by me,
second is probably a modification of mine and third is a trojan done
by some russian writer. All are very easy nonencrypted code, so what
else than a simplistic detector you would like to have? Yes, there
exists polymorfic generator written by Vecna/29A (published in last
29A magazine) and a Dust version that uses it. But this virus is on my
disk only, it will probably never be published as I'm retired.

So the question stands - for what you want to add detection for
encrypted/polymorfic/epo/metamorfic/whatever viruses to PPC detectors,
when there is _no_ virus, that uses them? Can you see the overhead it
would cause? The antivirus size increase? The time increase spent on
detection? This really is ridiculous.

When the time comes (and it probably will come), adding advanced
detection techniques to given PPC antiviruses is a matter of very
little time, because as you say all of these techniques are relatively
well elaborated in the PC world. When there will be people out there
that will take every ITW virus/worm and modify by few bytes, then the
time comes to add more advanced scanning techniques. Now it's simply
waste of resources on both sides - antivirus companies and _mainly_
user's devices.

You have very nice equations in the paper, very academic approach, but
well, the paper lacks one thing. Real life experience.

--
Best regards,
Ratter

Follow-Ups:
- Re: PocketPC exploitation
  - From: Denis Jedig
- AV == parasites? (was: PocketPC exploitation)
  - From: Michael Shigorin

Prev by Date: OpenServer 5.0.7 OpenServer 6.0.0 : UnZip File Permissions Change Vulnerability
Next by Date: [SECURITY] [DSA 824-1] New ClamAV packages fix denial of service
Previous by thread: PocketPC exploitation
Next by thread: AV == parasites? (was: PocketPC exploitation)
Index(es):
- Date
- Thread