Polymorphic Companion Viruses appear to be making a comeback. Last November it was announced that a polymorphic companion virus was making the rounds on Windows CE/Mobile phones.

The virus is interesting because it employs two different attack methods: encryption and a companion attack. What makes it polymorphic is its ability to re-write itself in order to avoid detection.

When a virus spreads using the companion attack method, what it does is disguise itself as a normal executable file already existing on your platform. The virus executes when invoked as a normal program by an unsuspecting user, script or other program. This malevolent approach has been around since the DOS days. As an encrypted virus the malevolent piece of software can go undetected by many anti-virus programs.

If your company authorizes the use of mobile phones for your employees then attention must be given to these new devices. And company wide security policies need to be updated which will address these new threats; threats that, if left unaddressed, can and will hinder company communications which can also have negative financial impacts.

Now that mobile phones are becoming more sophisticated, with some even being viewed as miniature PCs, they are increasingly becoming targets of hackers, malware and viruses. The Georgia Tech Information Security Center (GTISC) recently predicted, in their Emerging Cyber Threats report for 2009, that mobile threats will be one of the top risks to end-users in 2009. They went on to warn against the coming wave of botnets that will spread to handhelds.

One of the reasons given for the forecasted threat to mobile phones is that the battery of a mobile phone is not sufficient to power both normal use of the phone and also run an anti-virus software necessary to prevent a virus attack.

Mobile phones are like sitting ducks to the cyber criminal community. For that matter, an attack made on a mobile phone network might easily be a tactic used by terrorists as part of an overall plan of attack. Disabling communications has often been used as a wartime tactic. Electronic mail and voice communications are essential to your company’s day-to-day operations. So protecting those communications is equivocal to protecting your business. So ask your CIO, at what price are day-to-day operations not essential?