Cabir has broken free. Who is the next?

Antivirus theme gets relevant for our site as the first conceptual virus for smartphones has reproduced, hardened and turned into a full infection for mobile phones based on Symbian OS just in half a year. The fact Nokia Series 60 phones grew popular has made much for that. Russia became the ninth to announce officially the infection had been found in Nokia 7610. The thing we shouldn't doubt the most interesting events are in the future and the infection will certainly spread more in the next half a year.

Short history of the problem

Phones based on Symbian OS exist for a long time but only now a fully functional virus appeared. And only a year ago nobody treated the question of mobile viruses seriously. In our interview with Russian "virologist" Eugene Kaspersky we raised a question about mobile security and got his right arguments:

1. Symbian operating systems are hard to call wide-spread
2. Effective mechanisms of mass mailing without the user knowing are actually absent
3. No any prospect of "promoting" virus epidemic
4. The absence of any "nation-wide pride" or financial proof for the creator of a virus
   

Let's see what has changed in a year. The first item seems clear, that's unnecessary to say about the prevalence of Symbian mobile phones today. The mechanism of spreading a virus is also found and that is Bluetooth. It's still impossible to speak about great epidemics but the number of smart devices grows permanently, smartphones get cheaper and now are not something exotic or exclusive. The last item is still something in our dreams but why not to draw a parallel with today Internet epidemics? Creating computer viruses is not an entertainment now and infected machines are often used for mass network attacks and spamming. And a mobile phone is not an exception in this sense. What if a virus that got into your phone will start sending sms to all the contacts in the phone book without letting you know? Not only the owner may be beaten but he also will have to pay for all these mailing! But let's stop making dull forecasts and speak about a today situation.

According to the information given by the "Kaspersky laboratory" Cabir has admittedly been created by an unknown called "Vallez" who belongs to an international group of virus creators "29A" that specializes on writing special conceptual harmful programs. The group has got popular for creating such viruses as "Cap" (the first macro-virus that caused a global epidemic), "Stream" (the first virus for extra NTFS streams), "Donut" (the first virus for .NET platform), "Rugrat" (the first virus for Win64). Cabir is delivered via Bluetooth in a .sis file (installation file). When the infected package is opened the virus gets into the system and gets activated with every start of the phone. After that Cabir searches for any available devices and sends its copy to them. The same thing was about the first computer viruses - you had to run the infected executable file and here it is received in a message .sis file. According to the "Kaspersky laboratory" the first version of the virus (Cabir.a) could infect only several models (Nokia 3650, 7650, N-Gage are known for sure).

Many viruses, good and various

Many various variants based on Cabir (now called Cabir.a) have already been created and are still being developed. Of course, the virus gets more and more developed and gains new features with every new edition. For example, according to the Trend Micro site the newest versions of the virus Worm.SymbOS.Lasco (also known as Vlasco.a and Vlasco.b) make the device scan for new Bluetooth devices permanently and then send a copy of itself to the available phones. The list of the phones that may be infected has also widened and now includes about a dozen of models by various manufacturers. One of the Vlasco varieties is a combined product that infects computers also. Having been run the virus starts scanning hard drives searching for .sis files (Symbian distributives) and tries to integrate its code into them.

The ones who created Cabir.Dropper have made great work. When running a distributive with a curious name Norton AntiVirus 2004 Professional.sis several versions of Cabir are loaded into the phone. Particularly, Cabir.D replaces some preinstalled applications like FExplorer, SmartFileMan, Smartmovie, SystemExplorer with itself (the menu icons get empty) and when trying to run such an application the virus activates and tries to send itself. Another component blocks Bluetooth control and the third tries to integrate itself into the autorun menu.

Skulls.a and Skulls.b viruses behave the most interesting. A murderous filling packed into a .sis file with an innocent name of Icons or New Themes. When running an installation .sis file the virus writes several dozens of files and almost completely disables all the applications and menu items that are just replaced with an image of a skull with bones or an ornament. Skulls.b uploads the same old Cabir into the phone besides but the reason why to infect the dead device with a virus is not clear. The last version of Skulls disguises itself as a Metal Gear Solid game distributive (Metal Gear.sis file) and already can neutralize installed in the phone antivirus programs. The infected device sends via Bluetooth not only Cabir but also a Sexxx.sis file and a "Menu" button is blocked when opening this file.

Precaution...

That is not hard to avoid infecting via Bluetooth. It's enough not to open the strange files received from unknown sources. And the device will also ask you twice before installing. That is evident that a strange new file Sexxxy won't provide you with the sex you wished. And the best thing is to turn off the Discoverable mode in Bluetooth settings in the phone at all. Effective working distance of Bluetooth connection is seldom to exceed 7-10 meters but try to scan for new devices in the tube, a store, a conference hall area or any other places: sometimes two or three available for contact devices are detected. Some people suggested even creating a warning note about the possibility of infecting via Bluetooth in a notebook and send it to all the detected devices - the one who received will certainly begin thinking.

One should treat various Internet games for mobile phoned with suspicion, that will be vexing to upload a virus into the phone by yourself. All the .sis files from the Internet should be checked with a renewed antivirus just before uploading into the phone and if the device allows a complete backup on a PC then it's better to use the function before installing every new application/game. That's better not to hurry with installing the new game but read something about it on forums. In general everything is rather plain and clear.

… And treatment

The problem of reanimating the infected device is similar to the same with a PC, the solution may be chosen according to your qualification, persistence and finances.

• The easiest way is to reinstall all the software in the phone (similar to format C and reinstalling Windows on a PC). That is possible to have done in a service center and may be for money. The first clients may get it for free and then the service centers assistants will get it all (or may be they have already) and that will be impossible to set the infection up for a factory defect. The ideal variant is installing your own thoroughly prepared backup (if a smartphone supports the function).
• To try erasing the infection by yourself. It'll be possible in some cases but that will take time to deal with a file manager. And by the way, not every file manager will suit; you'll need the one with a possibility to view hidden folders and files.
• • You can use a free utility of some leading antivirus software developer. For treating a well-known Cabir you may upload some cure from the wap-site of "Kaspersky laboratory" following the link or a similar utility by F-Secure is available here. Also you may get on their site http://mobile.f-secure.com using your wap-browser in the phone and select an item named "Removal tool for Cabir (Caribe) worm for S60 devices" and then follow the instructions (you'll be offered to select the model you use).
• • Upload a fully-functional antivirus package - yes, really, such ones do already exist! Mobile antivirus F-Secure is not the cheapest one (about $16 for half a year subscription) but represents a functional product with online updates for virus data bases and also the updates may be received not only via the Internet but in a series of SMS.

Summary

Nothing supernatural happened and will happen, mobile devices with operating systems had to become a victim of virus creators sooner or later. The total ways the situation will develop are almost clear - all the leading developers of antivirus software will start creating own mobile antiviruses since the number of potential consumers grows rapidly. Though it seems that many great antivirus developers haven't thought out their strategy yet.

But we will certainly pay either with our comfort and cut device possibilities (if isolating from the whole outer world and follow the mobile hygiene properly), or to the developers of antivirus software for their products or to service centers for reanimating dead smartphones. Though some professionals and advanced users will certainly make it all by themselves. A classical confrontation of virus and antivirus will appear in mobile front and there is already at least one virus possible of stopping antivirus software. We have passed through it all with computer viruses. But there is one peculiarity - a mobile virus threatens your life with its existence since the absence of a calling opportunity may lead to disastrous effects. The thing to console you is the fact a plain reserve mobile phone is not a luxury and won't take much place.

If you still think the problem doesn't concern you just have a look at the list of Symbian devices, it really impresses. Now we do not know about the viruses for other mobile operating systems but that doesn't mean they do not exist and won't appear in the nearest future. Here we made a bit dark picture of the today situation but the owners of Symbian OS should really start thinking about their security. And also start following the elementary rules of computer hygiene with smart devices.

Sergey Potresov ([email protected])
Translated by Maria Mitina ([email protected])

Published — 19 January 2005

Have something to add?! Write us... [email protected]

News:

[ 31-07 16:21 ]Sir Jony Ive: Apple Isn't In It For The Money

[ 31-07 13:34 ]Video: Nokia Designer Interviews

[ 31-07 13:10 ]RIM To Layoff 3,000 More Employees

[ 30-07 20:59 ]Video: iPhone 5 Housing Shown Off

[ 30-07 19:12 ]Android Fortunes Decline In U.S.

[ 25-07 16:18 ]Why Apple Is Suing Samsung?

[ 25-07 15:53 ]A Few Choice Quotes About Apple ... By Samsung

[ 23-07 20:25 ]Russian iOS Hacker Calls It A Day

[ 23-07 17:40 ]Video: It's Still Not Out, But Galaxy Note 10.1 Gets An Ad

[ 19-07 19:10 ]Another Loss For Nokia: $1 Billion Down In Q2

[ 19-07 17:22 ]British Judge Orders Apple To Run Ads Saying Samsung Did Not Copy Them

[ 19-07 16:57 ]iPhone 5 To Feature Nano-SIM Cards

[ 18-07 14:20 ]What The iPad Could Have Looked Like ...

[ 18-07 13:25 ]App Store Hack Is Still Going Strong Despite Apple's Best Efforts

[ 13-07 12:34 ]Infographic: The (Hypothetical) Sale Of RIM

[ 13-07 11:10 ]Video: iPhone Hacker Makes In-App Purchases Free

[ 12-07 19:50 ]iPhone 5 Images Leak Again

[ 12-07 17:51 ]Android Takes 50%+ Of U.S. And Europe

[ 11-07 16:02 ]Apple Involved In 60% Of Patent Suits

[ 11-07 13:14 ]Video: Kindle Fire Gets A Jelly Bean

Subscribe