Typhoid cell-phones: The latest threat in malware transmission

As desktop and server security continues to improve and more attention turns to smartphone and other handsets as potential attack vectors, a report from the Register reminds us it's not just about attacking, infecting and destroying some portable device the same way malware currently tries to damage our PCs. Like the way mosquitos can infect multiple hosts (birds, people, etc.) with Eastern Equine Encephalitis (EEE) while remaining unaffected themselves by the disease, mobile devices can simply be used as carriers that leverage synching mechanisms and USB connections to infect multiple hosts and the media (permanent and removable) they have access to. Wrote the Register's Bill Ray:

Anti-virus company F-Secure has posted details of a Windows virus which can use a Symbian handset to transport itself between systems. The Mobler worm infects a Windows system, hides the Windows folder and sets about copying itself into different directories and on to any removable media available. It also creates a Symbian installation file which, if executed by an unwary user, installs a copy of the virus onto any removable media on the handset. Once there it depends on a curious user to execute it when attached to another computer.

While it's unlikely that a single handset (Symbian or otherwise) would be routinely connected to mutliple systems (thereby serving as a malware transmission conduit between those systems), the transfer of malware to removable media which is very often used in multiple systems is problematic enough for security personnel to be aware of the "back door."

A basic up-to-date anti-virus solution might easily stop such a virus once it finds its way onto a PC, the fact that the malware might still sneak its way onto your media (hard drive, recordable CD/DVD, USB thumbdrive, etc.) by using traditional synching mechanisms that have never been traditionally viewed (or guarded) as malware conduits is in some ways a call to arms for the anti-malware companies to be guarding new entry points and attack vectors.  One evolutionary step recently taken by Windows Mobile 5 (the operating system behind the Motorola Q that I'm testing) is the treatment of the USB port as more of a traditional network connection than a serial (COM: port) connection (Based on evidence, I'm pretty sure this is what's going on).

Instead of establishing a serial connection over a USB cable to a host PC for data synchronization, the Motorola Q connects over a protocol called RNDIS (Remote NDIS).  According to Microsoft's Web site:

Remote NDIS (RNDIS) is a specification for network devices on dynamic Plug and Play I/O buses such as USB. It includes two components: a bus-independent message set and a description of how this message set is conveyed across a specific I/O bus on which it is supported.

Perhaps (if someone knows, please confirm) one potential side-benefit of treating the USB port as more of a traditional networking connection (the way some FireWire connections are also treated) is that end-users can leverage existing security solutions (eg: personal firewalls) that watch network connections for any suspicious activity.  I'm pretty sure most solutions ignore native serial connections.  For example, while I've never seen a personal firewall spring to life while synching a PDA or smartphone via a serial/USB connection, I recently observed how the RNDIS connection to my Motorola Q was completely invisible to my PC as long as my PC was tunneled into a corporate virtual private network over it's WiFi connection.  Before RNDIS came along, I never had this problem.  If someone knows more about RNDIS and wants to share, the floor is yours (using the comments section below).