MoMusings

It has been a while since I last covered the area of mobile malware and I think it is time for an update, don’t you?

Happy Birthday Cabir!
On the 14th of June Cabir [the first mobile phone malware] had it’s first birthday. Exactly one year ago on that date the virus writing group known as 29a [29a hex = 666 decimal] sent a sample of their latest proof-of-concept malware to AV vendors. Kaspersky Lab, have claimed that they were the first to detect it, but most of the research since then on mobile malware has been carried out by F-Secure. Cabir once analysed was found to be a worm which could infect mobile phones running the Symbian 60 OS with Bluetooth capabilities. The worm actually uses BlueTooth to spread from phone to phone.

The source code for the original Cabir variant written by 29a showed up on a number of public sites on the Internet in December 2004. Not surprisingly, this led to the sudden appearance of new variants; mainly created by copycats and script-kiddies. Many of these first appeared in-the-wild [they were released by their creators and allowed to spread] during December 2004 and January 2005. Cabir has [to date] been seen spreading in over 30 countries. This level of spread is not bad for a Bluetooth worm that requires the end-user to accept and install the infection themselves.

Also, as some of you may remember there were rumours that Cabir could infect the on-board computer in some cars via the BlueTooth interface, this luckily turned out to be a false. If it had turned out to be true, then it would have brought a whole new meaning to suffering from a “malware induced crash”.

The latest known variant of Cabir is Cabir.Y.

Anti-Virus Malware?
A new variant of the Trojan family known as Skulls, has been found in-the-wild; this new variant is known as Skulls.L. The interesting thing about this new variant is that is takes social engineering to a new level for mobile malware as it pretends to be a ‘cracked’ [pirated] version of F-Secure Mobile Anti-Virus.

This new variant is apparently a minor modification of the Skulls.C Trojan. The Skulls.L SIS file is given the same filename as the F-Secure Mobile Anti-Virus installation package. The Trojan shows the following dialog text “F-Secure Antivirus protect you against the virus. And don’t forget to update this!” The twist is that the so-called anti-virus is actually the malware itself! When run the Skulls.L Trojan breaks the system applications on the phone; the smartphone functions of the phone no longer work!. The phone is now an expensive paperweight.

CommWarrior - coming to a phone near you soon?
CommWarrior, like Cabir [aka Carib] spreads via Bluetooth, but more interestingly it can also spread via MMS [Multimedia Messaging Service].

CommWarrior seems to be spreading more quickly in-the-wild than Cabir. F-Secure report that they have had reports of it “in three new countries, Malaysia, Austria and Brunei” in the last few weeks.

This brings the total countries it is know to be at large in to eleven, these include:

1. Ireland
2. India
3. Oman
4. Italy
5. Philippines
6. Finland
7. Greece
8. South Africa
9. Malaysia
10.Austria
11.Brunei

More data on it appears below:

CommWarrior is a worm that operates on Symbian Series 60 devices, the worm is capable of spreading both over Bluetooth and MMS messages.

When CommWarrior infects a phone it will start searching other phones that in can reach over Bluetooth and send infected SIS files to the phones it finds.

In addition of spreading over Bluetooth CommWarrior will also read the users local address book for phone numbers, and start sending MMS messages containing the a copy of itself in a SIS file.

Why do people install the infected SIS file when it arrives via MMS? The same reason that some users open e-mail attachments; it [appears] to have come from someone they know and/or trust, such as a friend or as F-Secure put it “...people just are unwilling to mistrust something coming from a friend“.

So what does this mean for most mobile phone users?
Well, unless you have a mobile based on Symbian or PocketPC [WindowsCE] then mobile malware will be unlikely to bother you, at this time.

However, if you have a Symbian Series60 or PocketPC based phone/PDA then expect malware to come calling some time soon, it may even arrive via MMS from someone you know…..you have been warned!

Conclusions:
There are now around 100 mobile malware strains/variants targeting mobile phones. Luckily many are Trojans, and therefore can’t spread on their own, however the small number that can spread via MMS or BlueTooth are doing rather well.