Executable encryption for Pocket PC and SmartPhone devices

Nicolas Brulez Websense Security Labs

  download slides (PDF)

Nowadays, mobile devices are popular and attacks targeting them are starting to surface. Cabir for Symbian OS or WinDust for Pocket PC are good examples. It is relatively easy to analyse them because they don't use encryption techniques. A natural evolution would be self-decrypting binaries, like we have on Windows for PC or Linux.

I suspected Pocket PC/SmartPhones executables would be encryptable because they use the same file format, which is the ‘Portable Executable’ format. My research has been done with IDA and MS EVC++ 4 debugger, as well as the code I have written in the past, for PE file encryption on X86-based computers. The paper presents the modifications and various 'hacks' needed to get the binaries to run. Assumptions from Windows for PC are false sometimes, and research has been done in order to obtain working self-decrypting programs.

As a result, we obtain working executables that cannot be disassembled directly because they are encrypted. There are not a lot of powerful tools to debug Windows CE programs, which makes it even harder. The encrypted EXE also evades anti-virus detection. Pocket PC/Smartphones could therefore be targeted by PE encrypted malware, like we currently see on Windows for PC. A lot of techniques can be used to defeat analysis. My paper describes those techniques and the paper should be seen as a proof of concept.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.