Mystery shrouds PC-to-mobile virus

A mystery is deepening around a report about the emergence of a virus that can pass from a PC to a mobile device, with some antivirus vendors saying they have not seen the code to confirm it.

The Mobile Antivirus Researchers Association (MARA) said it anonymously received the code, named “Crossover.” Microsoft Corp., whose software the virus reportedly affects, said Wednesday it is investigating the reports but has not heard of any customer complaints.

MARA officials were not immediately available to comment further.

Antivirus vendors said they will update their software to detect and remove the virus if they are allowed to analyze it. While vendors typically send virus samples to each other to update their products, MARA has not been forthcoming with a sample, said Graham Cluley, senior technology consultant for Sophos PLC.

At the moment, the antivirus community only has MARA’s word that the virus exists, Cluley said.

“We would still love to see a sample of this and determine if this is a potential threat to our customers,” Cluley said. “It’s a little bit disappointing that they are not sharing the sample.”

The virus, MARA said, is the first one engineered to infect a Microsoft Windows desktop computer and then pass to a mobile device running the Windows CE or Mobile software, subsequently erasing files.

So far, the code remains proof-of-concept, a tag given to viruses that are created to illustrate how a vulnerability can be exploited but which are not generally released on the Internet.

But once the code is publicly released, malicious hackers may alter it. The aim is for the virus to spread rapidly before antivirus software is updated to detect and remove the malware.

The Crossover virus copies itself in the registry of a desktop computer. It waits for a mobile device to synchronize its data with a desktop machine using Microsoft’s ActiveSync program, according to MARA’s posting. The virus then erases files in the My Documents directory on the device.

Mikko Hypponen, chief research officer at F-Secure Corp., said the security company can update its software to detect the virus within a couple of hours of having a sample. But the company has not seen the virus, he said.

Sophos contacted MARA by e-mail to request the virus. MARA responded with an e-mail attaching legal conditions to the release of the sample, but Sophos did not want to sign an agreement, Cluley said. Sophos has had concerns in the past over white papers containing virus source code that were published by MARA members, he said. Further, it is customary for antivirus vendors to securely send each other malware samples within a few hours, Cluley said.

MARA said that the virus would be available to antivirus companies and security experts “who qualify for MARA membership, which is free.” The terms of the membership are unclear from MARA’s Web site, and representatives of the group could not be immediately contacted.

MARA, formed in 2005, describes itself as a “vendor-neutral group” dedicated to prevent the spread of malicious code. According to its code of conduct, MARA members are not supposed to exchange viruses except for research and not engage in computer crime, among several other rules.

If verified, the virus could mark the start of a new danger for mobile devices, whose increasingly complex operating systems can be vulnerable to malware.

Related Download
Real-time visibility Sponsor: Interactive Intelligence
Real-time visibility
Get real-time visibility in the contact centre. See immediate benefits. Real-time visibility in the contact centre is crucial. When you do not have the info you need to make decisions, you lose out on the single best way to create a competitive advantage. Solving this issue is simple, though.
Register Now