Occasionally we find PC malware that can have an effect on mobile phones or vice versa. The W32/Mobler worm installs SymbOS/MultiDropper.CC to any Windows system it infects. The Symbian malware has no effect on the PC. Similarly SymbOS/Multidropper.CC installs W32/Mobler to the memory card. The mobile version is arguably more effective as inserting a memory card with Mobler into a PC with AutoRun configured is enough to cause an infection.
The malware author was trying to save some effort in the creation of new malware by reusing older malware. This is not the usual case with malware as creators, driven by the need to avoid detection, produce their own code or use newer malware toolkits.
Multi platform exploits
The situation with vulnerability exploits is more complex. While exploits are usually tied very closely to hardware and operating systems, they are also occasionally distributed as source code allowing study and modification. An example of this is the libTIFF exploit used by hackers to install homebrew games on the Sony Playstation Portable(PSP). The PSP libTIFF exploit was subsequently ported to the iPhone and allowed the installation of third party applications. Security researchers later added the libTIFF exploit to a penetration testing framework.
Portable malware knowledge
Penetration testing frameworks help to tie exploits to payloads(e.g. gaining control of a vulnerable system). The frameworks allow the reuse of previous vulnerability research. This helps reduce the work needed by a penetration tester or attacker to fully utilize an exploit. They can write multiple payloads for a single vulnerability exploit.
In a series of blog postings, a security researcher detailed the process he used to port the libTIFF exploit and develop multiple payloads for the iPhone. It helped a bit that the iPhone and Macs are both running versions of OS X. Although they work on different types of CPUs(x86 for Mac; ARM for iPhone), he was able to leverage his Mac payload knowledge to produce iPhone payloads in a few week’s time.
This week we saw the release of a number of exploits for a buffer overflow vulnerability in various PC multimedia players. The vulnerability was limited to a specific MP4 video file codec. The exploits, we detect them as Exploit-MP4, were implemented as specially crafted MP4 video files.
There was a possibility that the malformed video files could cause issues on mobile phones. During testing we found that one of the exploits caused certain phones to hang when played. When we investigated further, we discovered that a similar buffer overflow to the PC existed on the phones. While the exploit will only cause a denial of service currently, it is possible that an attacker could develop a more malicious payload for the affected phones. The example of the penetration testing framework shows that it is relatively straightforward for dedicated attackers to use previously gained knowledge to produce mobile exploits in short periods of time.