Mobile Virus Handbook

Mobile Virus Handbook, Symbian Virus

[ Pobierz całość w formacie PDF ]
VIRUS STORIES…
By now it is for sure: viruses that attack cellular phones are no longer an
exception or proof of concept. In recent months multiple variations of these
viruses have reinforced their attacks, revealing an unprecedented and
alarming level of exposure.
The latest generation cellular phones are no longer pure communication
devices: they are intelligent multimedia centers to be used both for work
and leisure, with little to differentiate them from palmtops. It seems
therefore likely that the kind of security problems experienced in the PC
world will likely be disturbingly similar in mobile environments.
As a result, the latest generation cellular phones have become a
potentially tempting target for attack and at the same time a vehicle for
malicious code. This represents a growing threat as the market increases
in complexity. By observing the exponential growth of these devices
registered in the past decade, we can predict that the growth in the number
of smartphone users and the corresponding market around it will be much
more explosive than that of PCs.
Already today,
the Symbian operating system is installed on over 20
million smartphones
: such a pool of users could not fail to arouse the
interest of hackers and spammers. This creates a scenario in the near
future where viruses, worms, spyware and denial of service attacks will
become commonplace for such devices.
The vanguard of cellular phone hackers has already made its appearance,
in some cases quite strikingly and the first targeted have obviously been
Symbian-based Series 60 cellular phones.
Terror runs... on wireless lines: a 10 month chronicle of of
attacks
Let's recap briefly the events that have defined the past months.
-
Spring 2004 – Mosquitos
, the game infected by a trojan, opens the
door for this new era of piracy aimed at cellular phones: it sends
messages to expensive toll numbers, causing considerable economic
loss to its unwitting victims.
-
June 15
th
: it's
Cabir's
turn; the worm
first version of which has been named
Cabir.A.
is first virus to replicate through an active Bluetooth connection,
Cabir attacks phones with a Symbian operating system.
-
June 16
th
, 2004
: Only one day later, a new version
Cabir.B
makes an
appearance
,
and will continue its spread mainly in China, India, Turkey,
Finland and the Philippines. To this day, this worm continues to
hitchhike around the world, with the owners of infected devices.
-
July 2004
: Pocket PCs are targeted for the first time and the
protagonist of these attacks is
Duts.
Behaving like a
traditional parasite virus, it attacks the Pocket PC's
programs and spreads each time infected programs
are exchanged. Nicknamed “the polite virus”, when a
program hit by Duts is activated, a message appears
asking the user permission to proceed: “
Dear User,
am I allowed to spread?
”.
If the user mistakenly grants authorization, the virus will infect all .EXE
files present in the directory.
-
August 2004
: in Summer 2004, handheld devices are targeted once
again. A few days after the reporting of Duts, it is Brador's turn, a
backdoor that creates a copy of itself in the start file and informs the
hacker the minute the device is online. The hacker can then connect to
the palmtop through the TCP door and covertly control the device.
-
November 19
th
, 2004
: Symbian-based smartphones return
once again and become the target of hackers. The first
appearance of
Skulls,
the
first version of which is called
Skulls.A.,
dates back to November. Skulls A. first makes its
appearance on websites that allow users to download
shareware applications for the Symbian operating system.
Skulls hides behind files named Extended Theme Manager
or Timer Room. If erroneously installed, the trojan blocks
the functioning of smartphone applications, allowing the user only to make or
receive phone calls. All other functions - messages, browser, and several
other applications - get blocked and the screen, instead of the usual icons,
displays skulls. What makes the trojan even more troublesome is the fact that
removal can be quite difficult and sometimes even cause the loss of all
information installed on the phone, including numbers, agenda and saved
messages.
-
November 29
th
, 2004
: the month ends with the first variation of Skulls:
Skulls.B
. As previously, the trojan is spread through a file called
Icons.SIS
that, if installed on a smartphone, blocking the functioning of
the cellular device's applications, allowing the user only to make and
receive phone calls, and deleting all other functions. If that weren't
enough, Skulls also carries the worm
Cabir.B
,
making this threat
particularly dangerous.
-
December 9
th
, 2004
: New versions of Cabir manifest themselves one after
the other:
Cabir.C, D
and
E
-
December 21
st
, 2004
: The stream of attacks doesn't blow over: reports bring
to light new notorious versions of
Skulls.C, Cabir.F
and
Cabir.G
-
December 22
nd
, 2004
: Another wave of malware spreads disguised as the
cracked copy of the popular cellular phone game
Metal Gear Solid
. The virus,
called
MGDropper
, installs itself, when the unwitting user downloads the
game on the smartphone. When launched, MGDropper installs versions of
Skulls and Cabir and tries to undermine the security products installed on the
phone.
-
December 26
th
, 2004
: In a six-month time span, versions of Cabir multiply
and the versions
Cabir.H
e
Cabir.I
make an appearance. Both target cellular
phones with a Symbian 60 Series operating system but their
appearance attracts the attention of researchers for one main
reason: these two versions seem in fact to be re-written
versions based on Cabir's original source code. This means
that, in a silent but insidious way, part of the source code is
continuing to spread in the depths of the web. As a result,
sources are still available to authors of cellular phone
malware, with all the associated risks.
-
January 11
th
, 2005
– The new year starts with a troubling
report that bears the name
Lasco.A
. F-Secure research
laboratories launch the alarm: 2005 could be the banner
year for attacks on cellular phones. This time as well,
cellular phones with a Symbian operating system and an
active Bluetooth connection are targeted. Lasco.A combines viruses and
worms: once the phone is hit, replicating the behavior of the notorious Cabir,
the worm starts to search for other active Bluetooth devices so it can replicate
and look for
.sis
files to infect.
-
February 1
st
, 2005
– It's the turn of the
Locknut.A
trojan (also nicknamed
Gavino.A and B by some anti-virus companies). Aimed at phones with a
Symbian 7.0 operating system, this new phenomenon
arouses interest not so much because of its severity but
because it is a Symbian SIS trojan file that substitutes a
binary file, blocking the phone and preventing any
application from opening. Its blocking methods are similar to
those of Skulls but are more complete. Although initially it
was thought that, once hit by Locknut.A, the phone
becomes unusable even for phone calls, it has been verified
that phones can still make and receive phone calls, while
losing all other functionality normally available on a smartphone device.
-
March 3, 2005
– CommWarrior.A started creating unwanted billing for
infected Series 60 users. This virus, however, adds a new layer of
sophisticated intelligence, using Bluetooth during daytime for spreading and
sending MMS messages at night. The latter feature is very bad from the
user’s point of view because CommWarrior is able to create considerable
costs by sending multiple MMS messages. The MMS messages contain
variable text messages and the Comwarrior SIS file with the filename
commw.sis. To get infected the user has to accept the installation dialogue
but once done, detection is difficult. The global spread of CommWarrior.A has
been rapid.
The most common reason why people have installed Commwarrior from an
MMS message is the trust that they have with the sender. People are typically
wary of messages that they receive from unknown sources, but quite willing
to install whatever has been sent from a friend’s mobile. This is a
phenomenon that we have also seen with E-Mail worms; the plain fact is that
people just are unwilling to mistrust something coming from a friend.
-
March 18, 2005
– Locknut.B will cause the operating system to crash by
preventing any application to launch. It lures the user to install itself be
pretending to be a patch for Series 60 phones. Locknut B also contains Cabir
V which spreads through Bluetooth just like the earlier variants of Cabir.
-
April 4, 2005
– Fontal.A is a SIS file trojan that installs a corrupted Font file
into infected device, thus causing the device to fail at the next reboot.
If a phone is infected with Fontal.A, it must not be rebooted
since the trojan will prevent the phone from booting again. If
the phone is rebooted, it will try to boot, but will be forever stuck on phone startup
and cannot be used.
In addition of installing the corrupted font file, Fontal.A also damages the
application manager so that it cannot be uninstalled, and no new applications can
be installed before the phone is disinfected.
-
May 9, 2005 –
Skulls.K is a variant of previous Skulls versions. It replaces
the system applications with non-functional versions, drops SymbOS/Cabir.M
worm in to the phone and disables third party applications that could be used
to disinfect it with such as FExplorer, EFileman.
Skulls.K tries to disable F-Secure Mobile Anti-Virus by replacing it's files with
non-functional versions. However, since F-Secure Mobile Anti-Virus is
capable of detecting Skulls.K using generic detection the Anti-Virus will detect
the infected SIS file and prevent it from being installed provided that the Anti-
Virus is in real time scan mode, as it is by default.
What will future attacks be like?
According to the experts at F-Secure research laboratories,
in the future we
should expect a new breed of cellular device exploits
, - for instance, Trojan
Horses incorporated in games, screensavers and other applications generating
unwanted charges, intrusions in reserved information filed in the memory of
cellular phones, as well as data deleting or theft.
The best way to protect a smartphone from dangerous content is to install anti
virus software that automatically updates itself.
All the latest news on viruses directly from the researchers of F-Secure
laboratories can be found on the weblog
secure.com/weblog/
, while news on
F-Secure Mobile Anti-Virus
– F-Secure's
patented solution that updates itself automatically in a way to protect the phone
even from the most recent threats - can be found at the address:
secure.com/wireless/
[ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • kazimierz.htw.pl