Easy as pie: Apple anti-virus is a peach at detecting infected BlackBerries

"Guest blogger Tony Ross is our Global Sales Trainer at Sophos Vancouver. Tony had a friend recently discover the virtues of running anti-virus on his Mac and thought he would share his story with us today."

Picture of Tony Ross

A friend of mine recently connected his BlackBerry to his Macintosh to transfer music for a new ringtone. I must admit, every time I hear that fake bell ring, I see 5 people reach for their BlackBerries, so it’s logical to want to be different.

When the BlackBerry prompted him to enable USB storage mode, he dutifully accepted the connection. Immediately Sophos Anti-Virus on his Mac generated an alert “Mal/Ambler-A detected in BLACKBERRY1:RECYCLER:recycld.exe”.

Good thing that my friend’s computer was a Mac running Sophos Anti-Virus. He has been listening to me for years ramble on about the risk of viruses regardless of the platform. In this case his Mac detected a Windows Autorun virus on his BlackBerry.

His BlackBerry was configured in paranoid mode, which only enables USB storage mode when
his password is entered. Many people configure this to be automatic; however, this could make it that much easier to transport a spare copy of Conficker onto the next USB port you use to charge. I recommend disabling USB storage mode from your BlackBerry Enterprise Server if you don’t have a business need to transfer files, photos, and music to your BlackBerry devices. Most companies manage their BlackBerries “over the air” anyhow, so this might just be a good time to review your BES policies.

Screenshot of SAV for Mac detecting a virus

Now, the threat itself. I spoke with Boris Lau in SophosLabs Vancouver and asked him to do a bit of analysis on this Mal/Ambler-A sample. Boris got back to me with some interesting information.

Mal/Ambler-A drops two files upon execution. The first is a Browser Helper Object(BHO) for Internet Explorer called fagw32.dll, which it puts into your system folder. We detected the BHO as W32/Autorun-AON. The helper object seems to be designed to help the bad guys make off with your usernames, passwords, information stored in AutoComplete, and other sensitive data you may have entered into Internet Explorer.

It also steals your credentials from Outlook Express if it’s configured, and is capable of bundling up this treasure chest and shipping it off to a website. The second file it drops is inform.dat, also in your system folder. This is used by the worm to spread itself to removable media when the time comes. It is simply an XOR’d copy of itself with the first 2 bytes missing to evade detection. Then to ensure that it propagates, as all good worms do, it will drop an autorun.inf on any removable media inserted into your PC and copy itself onto the removable media as Drive:\Recycled\recycld.exe.

BlackBerries, iPhones, USB sticks, digital cameras… All these devices are vulnerable to this type of malware, and if you are not a Windows user you may just be the next Typhoid Mary. We have become casual about plugging in these tools to charge when visiting a friend, in a conference room for a presentation, etc. Simply giving some permission for a quick power top-up is enough to get you infected.

My friend doesn’t recall ever having connected his BlackBerry to a Windows machine, yet it had a Windows virus. The scary part is how many computers might have been infected by his BlackBerry before he ran across one with up-to-date anti-virus. We all have to plug in occasionally, so to you, my Mac-owning brothers… Please run anti-virus on your Macs. Even if it’s just to help us poor fools who think Windows 7 is cool.