Is that a RAT in your Pocket PC?

This issue's topics: Introduction: * PDA RAT; IE, libpng, Mozilla, ripMIME updates Virus News: * Is that a RAT in your Pocket PC? Security News: * Cumulative IE update fixes three critical vulnerabilities * Critical libpng update fixes remote arbitrary code execution, DoS * Mozilla update fixes multiple vulnerabilities * ripMIME updated to handle Mydoom.O malformed base64 encoding

This issue's topics:

Introduction:

* PDA RAT; IE, libpng, Mozilla, ripMIME updates

Virus News:

* Is that a RAT in your Pocket PC?

Security News:

* Cumulative IE update fixes three critical vulnerabilities

* Critical libpng update fixes remote arbitrary code execution, DoS

* Mozilla update fixes multiple vulnerabilities

* ripMIME updated to handle Mydoom.O malformed base64 encoding

Introduction:

Another Pocket PC/Windows CE first this week - the discovery of the first network backdoor just a few short weeks after the first virus for the same platform suggests that the evolving Pocket PC platform may be becoming a target of interest to virus and malware writers. As these platforms (and our ever more-powerful cell phones) are often the weakest link in the corporate IT security chain, this development should not be entirely surprising...

On the security front, the last week saw an 'out of cycle' cumulative security update for all versions of Internet Explorer, several critical bugs in libpng fixed and an update for ripMIME so it can properly handle Mydoom.O's malformed MIME encoding (which doesn't upset many e-mail clients). As well as being affected by the libpng issues, popular alternative web browser Mozilla saw several important security updates.

Virus News:

* Is that a RAT in your Pocket PC?

During the past few weeks we have reported a couple of firsts for malware on mobile computing platforms - Cabir, the first virus for Symbian OS on various cell phones and Duts, the first virus for Windows CE devices. While Cabir specifically tries to spread via communications channels likely to be available on its victim hosts (Bluetooth), Duts was only a simple parasitic program file infector.

Ignoring Windows CE's communication and networking options was an avenue not to be neglected by malware writers for long though.

Brador is a 'backdoor' or 'remote access Trojan' (RAT) written specifically for ARM processor Windows CE machines running Microsoft Pocket PC OS 5.0 or later. Brador is a fairly simple as RATs go, at least compared to the tens and hundreds of kilobyte RATs typically seenfor use on Windows and Linux machines. That should not be surprising given that its executable is only 5632 bytes total size, however even that is enough space to pack all the basic RAT features of listening on a network port for instructions, downloading further programs and other files, and executing remotely-specified commands. It even includes an e-mail based 'phone home' feature to let its 'owner' know what machines it is on.

Despite some rather excited media commentary suggesting that Brador is 'in the wild', no reputable antivirus researchers are known to have reported confirmed instances of Brador from the field as of this writing.

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Cumulative IE update fixes three critical vulnerabilities

Last Friday, North American time (i.e. well after last week's Virus & Security Watch was 'put to bed'), Microsoft released a cumulative security update for Internet Explorer that fixes one or more critical vulnerabilities in each of the currently supported versions of IE.

Two of the fixed vulnerabilities are buffer overflows in handling malformed BMP and GIF format graphics and one is the navigation cross-domain flaw in IE's security zone model that was so publicly exploited by Scob a couple of months ago. All patched vulnerabilities had been publicly disclosed previous to Microsoft releasing the patch (some several months previous) and two were known to be actively exploited, with the cross-domain flaw having been quite heavily exploited in the nearly two-months between its public disclosure and Microsoft releasing its patch.

If you have not already obtained this patch and you or your charges use IE, consider this a very high priority patch. However, please read the Security Advisory very carefully before installing the patch, as there are several potential gotchas with these fixes. Note that because this was not released on Microsoft's standard, monthly 'Patch Tuesday', it should be considered as extra-serious as Microsoft only releases the most critical of critical security hotfixes 'out of cycle'.

Microsoft Security Bulletin MS04-025

* Critical libpng update fixes remote arbitrary code execution, DoS

libpng is a multi-platform reference library of functions for handling PNG format graphics included in many OS distributions and many third-party applications are dynamically or statically linked to it.

Chris Evans has reported multiple vulnerabilities in libpng due to null pointer dereferences and boundary errors (see his original advisory at the beasts.org link below). Many of these are easily exploited to perform denials of service (DoS) against a PNG-viewing process on a victim machine, and some of the stack-based buffer overflow vulnerabilities are clearly exploitable to run arbitrary code. Depending on the application calling libpng and the source of the PNG format files being handled, these vulnerabilities may be remotely exploitable and may give an attacker root (or other elevated) privileges.

Most Linux and other Unix-like distributions shipping libpng have already provided update packages to address these vulnerabilities, and several major third-party applications (such as the Mozilla family of browsers and e-mail clients) that statically link libpng have also already been updated. Expect to see many more announcements from other distributors and developers of third-party products statically linking libpng over the next few days.

And, of course, the traditionalists among us will opt for the 'get the source distribution (or patches thereto) and build our own version from scratch' approach...

libPNG 1.2.5 buffer overflow and other code concerns - beasts.org

libpng home page - libpng.org

* Mozilla update fixes multiple vulnerabilities

As well as fixing the libpng vulnerabilities described in the previous item, the latest version of the full Mozilla browser and its related 'lite' browser (Firefox) and e-mail client (Thunderbird) include fixes for other critical flaws such as a critical, remotely exploitable integer overflow in the SOAPParameter object's constructor, and some certificate spoofing problems.

Netscape/Mozilla SOAPParameter Integer Overflow - idefense.com

Bugzilla entry 253121 - mozilla.org

* ripMIME updated to handle Mydoom.O malformed base64 encoding

Many Linux, BSD and Unix-based e-mail content-filtering and/or virus scanning solutions depend on the ripMIME package to unpack and decode MIME format e-mail messages so each component part of such messages can be checked for viruses, content-policy infringement and so on.

The Mydoom.O virus often produces 'invalid' MIME encodings, inserting 'extra' blank lines between the lines of base64 encoding, using short lines and inserting space characters. Sadly, many e-mail client programs happily decode such munged input 'correctly', as if the invalid line breaks and other white space were not present. ripMIME would stop decoding such munged input because of these white space 'errors'. Thus, some scanning solutions based on ripMIME would not see the executable attachment nor get a chance to virus scan the attachment.

Paul Daniels, ripMIME's author, has updated the package to 'properly' handle such broken base64 encoding. Users of e-mail scanning systems based on ripMIME are strongly advised to check the version of ripMIME they are using and evaluate the likely effect of continuing to use an older version that does not decode such munged attachments as Mydoom.O can produce. The fixed version is Release 1.3.2.3 which is not mentioned on ripMIME's home page; the changelog details these latest fixes.

ripMIME CHANGELOG - pldaniels.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about F-SecureKasperskyKasperskyLinuxMicrosoftMozillaSymantecSymbianTrend Micro Australia

Show Comments
[]