Mobile_Virus_Handbook.pdf

VIRUS STORIES…

By now it is for sure: viruses that attack cellular phones are no longer an

exception or proof of concept. In recent months multiple variations of these

viruses have reinforced their attacks, revealing an unprecedented and

alarming level of exposure.

The latest generation cellular phones are no longer pure communication

devices: they are intelligent multimedia centers to be used both for work

and leisure, with little to differentiate them from palmtops. It seems

therefore likely that the kind of security problems experienced in the PC

world will likely be disturbingly similar in mobile environments.

As a result, the latest generation cellular phones have become a

potentially tempting target for attack and at the same time a vehicle for

malicious code. This represents a growing threat as the market increases

in complexity. By observing the exponential growth of these devices

registered in the past decade, we can predict that the growth in the number

of smartphone users and the corresponding market around it will be much

more explosive than that of PCs.

Already today, the Symbian operating system is installed on over 20

million smartphones : such a pool of users could not fail to arouse the

interest of hackers and spammers. This creates a scenario in the near

future where viruses, worms, spyware and denial of service attacks will

become commonplace for such devices.

The vanguard of cellular phone hackers has already made its appearance,

in some cases quite strikingly and the first targeted have obviously been

Symbian-based Series 60 cellular phones.

Terror runs... on wireless lines: a 10 month chronicle of of

attacks

Let's recap briefly the events that have defined the past months.

- Spring 2004 – Mosquitos , the game infected by a trojan, opens the

door for this new era of piracy aimed at cellular phones: it sends

messages to expensive toll numbers, causing considerable economic

loss to its unwitting victims.

- June 15 th : it's Cabir's turn; the worm first version of which has been named

Cabir.A. is first virus to replicate through an active Bluetooth connection,

Cabir attacks phones with a Symbian operating system.

- June 16 th , 2004 : Only one day later, a new version Cabir.B makes an

appearance , and will continue its spread mainly in China, India, Turkey,

Finland and the Philippines. To this day, this worm continues to

hitchhike around the world, with the owners of infected devices.

- July 2004 : Pocket PCs are targeted for the first time and the

protagonist of these attacks is Duts. Behaving like a

traditional parasite virus, it attacks the Pocket PC's

programs and spreads each time infected programs

are exchanged. Nicknamed “the polite virus”, when a

program hit by Duts is activated, a message appears

asking the user permission to proceed: “ Dear User, am I allowed to spread? ”.

If the user mistakenly grants authorization, the virus will infect all .EXE

files present in the directory.

- August 2004 : in Summer 2004, handheld devices are targeted once

again. A few days after the reporting of Duts, it is Brador's turn, a

backdoor that creates a copy of itself in the start file and informs the

hacker the minute the device is online. The hacker can then connect to

the palmtop through the TCP door and covertly control the device.

- November 19 th , 2004 : Symbian-based smartphones return

once again and become the target of hackers. The first

appearance of Skulls, the first version of which is called

Skulls.A., dates back to November. Skulls A. first makes its

appearance on websites that allow users to download

shareware applications for the Symbian operating system.

Skulls hides behind files named Extended Theme Manager

or Timer Room. If erroneously installed, the trojan blocks

the functioning of smartphone applications, allowing the user only to make or

receive phone calls. All other functions - messages, browser, and several

other applications - get blocked and the screen, instead of the usual icons,

displays skulls. What makes the trojan even more troublesome is the fact that

removal can be quite difficult and sometimes even cause the loss of all

information installed on the phone, including numbers, agenda and saved

messages.

- November 29 th , 2004 : the month ends with the first variation of Skulls:

Skulls.B . As previously, the trojan is spread through a file called

Icons.SIS that, if installed on a smartphone, blocking the functioning of

the cellular device's applications, allowing the user only to make and

receive phone calls, and deleting all other functions. If that weren't

enough, Skulls also carries the worm Cabir.B , making this threat

particularly dangerous.

- December 9 th , 2004 : New versions of Cabir manifest themselves one after

the other: Cabir.C, D and E

- December 21 st , 2004 : The stream of attacks doesn't blow over: reports bring

to light new notorious versions of Skulls.C, Cabir.F and Cabir.G

- December 22 nd , 2004 : Another wave of malware spreads disguised as the

cracked copy of the popular cellular phone game Metal Gear Solid . The virus,

called MGDropper , installs itself, when the unwitting user downloads the

game on the smartphone. When launched, MGDropper installs versions of

Skulls and Cabir and tries to undermine the security products installed on the

phone.

- December 26 th , 2004 : In a six-month time span, versions of Cabir multiply

and the versions Cabir.H e Cabir.I make an appearance. Both target cellular

phones with a Symbian 60 Series operating system but their

appearance attracts the attention of researchers for one main

reason: these two versions seem in fact to be re-written

versions based on Cabir's original source code. This means

that, in a silent but insidious way, part of the source code is

continuing to spread in the depths of the web. As a result,

sources are still available to authors of cellular phone

malware, with all the associated risks.

- January 11 th , 2005 – The new year starts with a troubling

report that bears the name Lasco.A . F-Secure research

laboratories launch the alarm: 2005 could be the banner

year for attacks on cellular phones. This time as well,

cellular phones with a Symbian operating system and an

active Bluetooth connection are targeted. Lasco.A combines viruses and

worms: once the phone is hit, replicating the behavior of the notorious Cabir,

the worm starts to search for other active Bluetooth devices so it can replicate

and look for .sis files to infect.

- February 1 st , 2005 – It's the turn of the Locknut.A trojan (also nicknamed

Gavino.A and B by some anti-virus companies). Aimed at phones with a

Symbian 7.0 operating system, this new phenomenon

arouses interest not so much because of its severity but

because it is a Symbian SIS trojan file that substitutes a

binary file, blocking the phone and preventing any

application from opening. Its blocking methods are similar to

those of Skulls but are more complete. Although initially it

was thought that, once hit by Locknut.A, the phone

becomes unusable even for phone calls, it has been verified

that phones can still make and receive phone calls, while

losing all other functionality normally available on a smartphone device.

- March 3, 2005 – CommWarrior.A started creating unwanted billing for

infected Series 60 users. This virus, however, adds a new layer of

sophisticated intelligence, using Bluetooth during daytime for spreading and

sending MMS messages at night. The latter feature is very bad from the

user’s point of view because CommWarrior is able to create considerable

costs by sending multiple MMS messages. The MMS messages contain

variable text messages and the Comwarrior SIS file with the filename

commw.sis. To get infected the user has to accept the installation dialogue

but once done, detection is difficult. The global spread of CommWarrior.A has

been rapid.

The most common reason why people have installed Commwarrior from an

MMS message is the trust that they have with the sender. People are typically

wary of messages that they receive from unknown sources, but quite willing

to install whatever has been sent from a friend’s mobile. This is a

phenomenon that we have also seen with E-Mail worms; the plain fact is that

people just are unwilling to mistrust something coming from a friend.

- March 18, 2005 – Locknut.B will cause the operating system to crash by

preventing any application to launch. It lures the user to install itself be

pretending to be a patch for Series 60 phones. Locknut B also contains Cabir

V which spreads through Bluetooth just like the earlier variants of Cabir.

- April 4, 2005 – Fontal.A is a SIS file trojan that installs a corrupted Font file

into infected device, thus causing the device to fail at the next reboot.

If a phone is infected with Fontal.A, it must not be rebooted

since the trojan will prevent the phone from booting again. If

the phone is rebooted, it will try to boot, but will be forever stuck on phone startup

and cannot be used.

In addition of installing the corrupted font file, Fontal.A also damages the

application manager so that it cannot be uninstalled, and no new applications can

be installed before the phone is disinfected.

- May 9, 2005 – Skulls.K is a variant of previous Skulls versions. It replaces

the system applications with non-functional versions, drops SymbOS/Cabir.M

worm in to the phone and disables third party applications that could be used

to disinfect it with such as FExplorer, EFileman.

Skulls.K tries to disable F-Secure Mobile Anti-Virus by replacing it's files with

non-functional versions. However, since F-Secure Mobile Anti-Virus is

capable of detecting Skulls.K using generic detection the Anti-Virus will detect

the infected SIS file and prevent it from being installed provided that the Anti-

Virus is in real time scan mode, as it is by default.

What will future attacks be like?

According to the experts at F-Secure research laboratories, in the future we

should expect a new breed of cellular device exploits , - for instance, Trojan

Horses incorporated in games, screensavers and other applications generating

unwanted charges, intrusions in reserved information filed in the memory of

cellular phones, as well as data deleting or theft.

The best way to protect a smartphone from dangerous content is to install anti

virus software that automatically updates itself.

All the latest news on viruses directly from the researchers of F-Secure

laboratories can be found on the weblog http://www.europe.f-

secure.com/weblog/ , while news on F-Secure Mobile Anti-Virus – F-Secure's

patented solution that updates itself automatically in a way to protect the phone

even from the most recent threats - can be found at the address: http://www.f-

secure.com/wireless/

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: