Alexander Gostev

Senior Virus Analyst, Kaspersky Lab

June 2006 was a historic month: it marked two years since Kaspersky Lab obtained the first sample of a virus for mobile phones. Although it wasn't clear initially, we now know that the virus was written by 'Vallez', a member of the international group of virus writers known as 29A.

This first sample opened Pandora's Box. Antivirus companies now have hundreds of Trojans and worms for mobile phones in their collections. The trickle of new malicious programs for Symbian that began in 2004 has become a constant stream which threatens to become a torrent. Every week about ten Trojans with the "SymbOS" prefix are added to our antivirus databases.

In itself, this might not seem like anything major. However, the worst thing is that worms for mobile devices are causing more and more outbreaks, and it's not possible to assess the true scale of these outbreaks yet. A year ago, the only news we were getting of Cabir was that it had been detected in yet another country or city. Then owners of infected phones started contacting Kaspersky Lab directly and we started dealing with real infections, including some employees at Kaspersky Lab HQ in Moscow.

It may be that mobile worms are spreading so fast because an average mobile phone user is less security conscious than an average Internet user. On the other hand, even long time mobile users treat mobile malware as a problem which hasn't happened yet, or believe that it's not an issue which really concerns them.

But mobile viruses don't exist in some parallel world. They are part of the here and now, and every time you go on public transport, to the cinema or the airport your mobile phone is potentially under attack.

There's a long way to go before users know as much about mobile viruses as they do about computer viruses...

In the Beginning Was Cabir...

On June 14, 2004, a well-known Spanish virus collector known as VirusBuster, who had close links with some virus writers, sent a message to 'newvirus@kaspersky.com'. The message had a file called caribe.sis attached. At the time we weren't sure what we were dealing with - we'd never seen anything like it before. A quick analysis showed that it was an application for Symbian OS and also an installer archive containing other files. As a rule, virus analysts deal with files created for traditional x86 processors. The files in caribe.sis were applications for ARM, processors which are used in a range of devices, including mobile phones. Initially, we knew very little about the machine language used by that processor, but within a few hours our analysts had managed to familiarize themselves with it. The purpose of the files was then clear: this was a worm for mobile phones which spread via Bluetooth. Our conclusions were fully confirmed the next day when we tested the worm on a Nokia N-Gage telephone running Symbian.

The worm was written by someone going under the name of Vallez. As far as we know, he lives in France and was, at the time, a member of a group of virus writers called 29A. The group's aim was to create proof-of-concept virus code for non-standard operating systems and applications. The group's members seemed determined to demonstrate to antivirus companies and other virus writers that there were new, previously unexplored infection vectors. Back in June 2004, the objective was to create a malicious program for smartphones. The author also chose a non-standard replication method - analysts are used to worms which spread via email, and Cabir could have been expected to propagate in the same way, given that Internet connectivity and email are two of the main features of smartphones. However, the worm's author chose Bluetooth instead; an approach that turned out to be key.

Cabir is coded for the Symbian operating system, which was, and remains, the most commonly used operating system in mobile phones. This marker leader position is due largely to the fact that all smartphones produced by Nokia are Symbian-based. In fact, Symbian Nokia is currently the standard smartphone combination, and it's going to take Windows Mobile a long time to win a significant share of the market from Symbian.

The appearance of Cabir confirmed the law of computer virus evolution. In order for malicious programs targeting a particular operating system or platform to emerge, three conditions need to be fulfilled:

1.The platform must be popular. Symbian was and remains the most popular platform for smartphones, with tens of millions of users throughout the world.

Cabir's author: "Symbian could be a very extended operating system used in mobile phones in the future. Today is the more extended and in my opinion it could be more yet (M$ is fighting too for being into this market too)."

2.There must be well-documented development tools for the application.

Cabir's author: "Caribe was written in c . Symbian/nokia is giving us a complete sdk for developing applications for symbian operating system."

3.The presence of vulnerabilities or coding errors. Symbian includes a number of faults, by design, in the system that handles files and services. In the case of Cabir these faults were not exploited, but most of today's Trojans for smartphones take full advantage of them.

Cabir immediately attracted the attention not only of antivirus companies, but of other virus writers as well. The latest issue of 29A's webzine was eagerly awaited, with the expectation that the group would, in accordance with tradition, publish the worm's source code. Naturally, the publication of the source code would lead to the emergence of new, more harmful variants of the worm: this is what always happens when script kiddies gain access to such technologies. However, petty cyber criminals can be capable of doing a lot of damage even without access to original source code.

Current mobile malware types and families

Autumn 2004 was when mobile malware started to evolve in three main areas. One was Trojan programs which are designed for financial gain. The first mobile Trojan was Mosquit.a. In theory, it's a harmless mobile phone game; however, at some point it starts to send numerous SMS messages to telephone numbers in the address book, meaning that the user's phone bill will increase. In fact, Mosquit.a wasn't only the first Trojan for smartphones, but also the first piece of adware for mobiles.

Skuller.a, a Trojan which appeared in November 2004, was the first of what is now the largest family of mobile Trojans. This was the first malicious program to take advantage of the design faults of Symbian, which make it possible for any application to overwrite system files with their own files without prompting the user. Skuller replaced application icons with skull and crossbones, and also deleted application files. As a result, the handset would stop working once it had been switched off and switched on again. This type of "vandal Trojan" became one of the most popular among virus writers.



Skuller.a

Three new variants of Cabir appeared practically at the same time as Skuller.a. These new variants were not based on the source code of the original worm. By this time virus writers had got their hands on Cabir, and some of them did what script kiddies do: they renamed the worm files and replaced some of the text in the files with their own. One variant added Skuller to the original archive. The resulting hybrid didn't function as intended: the worm was unable to replicate because the Trojan crashed the phone. However, this was the first time that Cabir was used as a carrier for other malicious programs.

By the beginning of 2005, the main types of mobile malware had evolved, and were used by virus writers over the next eighteen months:

?worms that spread via smartphone protocols and services

?vandal Trojans that install themselves to the system by exploiting Symbian design faults

?Trojans designed for financial gain

However, although there are only a few main types of behavior, in practice mobile malware comes in a variety of forms. Kaspersky Lab is currently tracking 31 distinct mobile malware families. The table below shows the main characteristics for each family.

NameDateOSFunctionalityTechnology usedNumber of variants

Worm.SymbOS.Cabir

June 2004SymbianSpreads via BluetoothBluetooth15

Virus.WinCE.Duts

July 2004Windows CEInfects files(File API)1

Backdoor.WinCE.Brador

August 2004Windows CEProvides remote network access(Network API)2

Trojan.SymbOS.Mosquit

August 2004SymbianSends SMS messagesSMS1

Trojan.SymbOS.Skuller

November 2004SymbianReplaces files, icons, system applications OS vulnerability31

Worm.SymbOS.Lasco

January 2005SymbianSpreads via Bluetooth, infects files Bluetooth, File API1

Trojan.SymbOS.Locknut

February 2005SymbianInstalls corrupted applications OS vulnerability2

Trojan.SymbOS.Dampig

March 2005SymbianReplaces system applicationsOS vulnerability1

Worm.SymbOS.ComWar

March 2005SymbianSpreads via Bluetooth ? MMS, infects filesBluetooth, MMS, File API7

Trojan.SymbOS.Drever

March 2005SymbianReplaces antivirus application loaders OS vulnerability4

Trojan.SymbOS.Fontal

April 2005SymbianReplaces font filesOS vulnerability8

Trojan.SymbOS.Hobble

April 2005SymbianReplaces system applicationsOS vulnerability1

Trojan.SymbOS.Appdisabler

??? 2005SymbianReplaces system applicationsOS vulnerability6

Trojan.SymbOS.Doombot

May 2005SymbianReplaces system applications, ??????????? ComwarOS vulnerability17

Trojan.SymbOS.Blankfont

July 2005SymbianReplaces font filesOS vulnerability1

Trojan.SymbOS.Skudoo

August 2005SymbianInstalls damaged applications, installs Cabir, Skuller, Doombor OS vulnerability3

Trojan.SymbOS.Singlejump

August 2005SymbianDisables system functions, replaces icons OS vulnerability5

Trojan.SymbOS.Bootton

August 2005SymbianInstalls damaged applications, installs Cabir OS vulnerability2

Trojan.SymbOS.Cardtrap

September 2005SymbianDeletes antivirus files, replaces system applications, installs Win32 malware on memory cards OS vulnerability26

Trojan.SymbOS.Cardblock

October 2005SymbianBlocks memory cards, deletes folders OS vulnerability, File API1

Trojan.SymbOS.PbstealerNovember 2005SymbianSteals data Bluetooth, File API5

Trojan-Dropper.SymbOS.Agent

December 2005SymbianInstalls other malicious programs OS vulnerability3

Trojan-SMS.J2ME.RedBrowser

February 2006J2MESends SMSJava, SMS2

Worm.MSIL.Cxover

March 2006Windows Mobile/ .NETDeletes files, copies its body to other devices File (API), NetWork (API)1

Worm.SymbOS.StealWar

March 2006SymbianSteals data, spreads via Bluetooth and MMS Bluetooth, MMS, File (API)5

Email-Worm.MSIL.Letum

March 2006Windows Mobile/ .NETSpreads via email Email, File (API)3

Trojan-Spy.SymbOS.Flexispy

April 2006SymbianSteals data ?2

Trojan.SymbOS.Rommwar

April 2006SymbianReplaces system applicationsOS vulnerability4

Trojan.SymbOS.Arifat

April 2006Symbian??1

Trojan.SymbOS.Romride

June 2006SymbianReplaces system applicationsOS vulnerability8

Worm.SymbOS.Mobler.a

August 2006SymbianDeletes antivirus files, replaces system applications, spreads via memory card OS vulnerability1

31 families, 170 variants

Complete (as of 30th August 2006) list of mobile virus families according to Kaspersky Lab classification.

In short, the table answers the question "What can mobile viruses do?":

?Spread via Bluetooth, MMS

?Send SMS messages

?Infect files

?Enable remote control of the smartphone

?Modify or replace icons or system applications

?Install "false" or non-operational fonts and applications

?Combat antivirus programs

?Install other malicious programs

?Block memory cards

?Steal data

We have to acknowledge that today's mobile viruses are very similar to computer viruses in terms of their payload. However, it took computer viruses over twenty years to evolve, and mobile viruses have covered the same ground in a mere two years. Without doubt, mobile malware is the most quickly evolving type of malicious code, and clearly still has great potential for further evolution.

The Basics

One of the main differences in the technology used in viruses for mobile devices and personal computers is that, although there are numerous mobile virus families, very few mobile viruses are truly original. This is similar to computer viruses in the late 1980s. Back then, there were hundreds of viruses derived from the source code of "base" malicious code. A multitude of malicious programs were based on just three viruses: Vienna, Stoned and Jerusalem. In terms of mobile malware, I would identify the following programs as the "forebears" of other mobile viruses:

?Cabir

?Comwar

?Skuller.gen

Cabir served as the basis for a number of its own variants, which differ only in terms of the file names and the contents of the sis installation files. Cabir was also used as the basis for such seemingly dissimilar families as StealWar, Lasco and Pbstealer.

Lasco

Lasco was the first of these "new" families to appear. In addition to worm functionality, programs from this family are capable of infecting files in the phone memory. Lasco's evolution is a good example of what happens when virus source code is made publicly available. A Brazilian by the name of Marcos Velasco, who calls himself a mobile virus expert, got hold of the source code for Cabir and began writing viruses. During the last week of 2004 he sent several variants of Cabir that he had written to antivirus companies. Some of them were completely non-operational and all were categorized as Cabir variants. This did not please the author; in an attempt to become famous he created a variant of the worm that was also capable of infecting sis files. This is how the Lasco worm came to be in antivirus databases.

Luckily, the idea of infecting files was not further developed by virus writers, even though Velasco published the source code of his creation on his website. It is still not quite clear whether Cabir was actually used as a source for Lasco. According to Marcos Velasco, he wrote all the code independently, but the number of files, their names and operating principles are very similar to Cabir. It's possible to compare the main functions in both worms and draw your own conclusions.

The function that sends the worm via Bluetooth (Cabir):

if(WithAddress)

{

WithAddress = 0;

Cancel();

TBTSockAddr btaddr(entry().iAddr);

TBTDevAddr devAddr;

devAddr = btaddr.BTAddr();

TObexBluetoothProtocolInfo obexBTProtoInfo;

obexBTProtoInfo.iTransport.Copy(_L("RFCOMM"));

obexBTProtoInfo.iAddr.SetBTAddr(devAddr);

obexBTProtoInfo.iAddr.SetPort(0x00000009);

obexClient = CObexClient::NewL(obexBTProtoInfo);

if(obexClient)

{

iState = 1;

iStatus = KRequestPending;

Cancel();

obexClient->Connect(iStatus);

SetActive();

}

}

else

{

iState = 3;

User::After(1000000);

}

return 0;

The function that sends the worm via Bluetooth (Lasco):

if ( FoundCell )

{

FoundCell = _NOT;

Cancel();

TBTSockAddr addr( entry().iAddr );

TBTDevAddr btAddress;

btAddress = addr.BTAddr();

TObexBluetoothProtocolInfo obexProtocolInfo;

obexProtocolInfo.iTransport.Copy( _L( "RFCOMM" ) );

obexProtocolInfo.iAddr.SetBTAddr( btAddress );

obexProtocolInfo.iAddr.SetPort( 9 );

if ( ( iClient = CObexClient::NewL( obexProtocolInfo ) ) )

{

iStatus = KRequestPending;

BluetoothStatus = _BLUETOOTH_NOT_CONNECTED;

Cancel();

iClient->Connect( iStatus );

SetActive();

}

}

else

{

BluetoothStatus = _BLUETOOTH_CONNECTED;

}

}

Pbstealer

The first Trojan spy for Symbian, Pbstealer, is another Cabir "offspring". It was created in Asia, probably in China, and was found on a hacked Korean website devoted to Legend of Mir, an online game. This method of distribution and the fact that the Trojan was written with criminal intent demonstrates how the "good intentions" of Cabir's author paved the way for the development of further malware.

The function that enabled the Trojan to send files via Bluetooth came from Cabir. However, authors of the Trojan made one important modification to the original code. The Trojan searches for the phone's address book and sends data contained in it via Bluetooth to the first device found. Hence the name Pbstealer, which stands for "Phonebook Stealer". Until then cybercriminals used various vulnerabilities in the Bluetooth protocol to steal such information, e.g., BlueSnarf. This Trojan, however, greatly extended the possibilities available.

And, of course, Cabir became the carrier of choice for a variety of other Trojans. More than half of all Skuller, Appdisabler, Locknut, Cardtrap and other "vandal" Trojan variants contain Cabir, which has been modified to spread not only itself, but the whole Trojan package. This sort of hybridization has led to significant difficulties in categorizing many malicious programs. We will discuss this in greater detail below.

Comwar

A second landmark in the development of mobile malware was Comwar, the first worm to spread via MMS. Like Cabir, it can spread via Bluetooth, but MMS is the principal method used, making this worm potentially extremely dangerous. Bluetooth operates within a distance of 10 to 15 meters and other devices can be infected only if they are within this range. MMS has no boundaries and can be instantly sent even to handsets in other countries.

The author of Cabir initially considered this idea, but chose Bluetooth for quite obvious (from the viewpoint of 29A ideology) reasons:

?mms: Its easy to route over the agent searching phone numbers and sending them a mms message with the worm attached, but we have two problems:

?We dont know what type of phone are we sending the mms. We dont know if that phone is able to receive mms message or if it could execute the worm.

?We are spending the money of the phone.?

The second reason is telling: it means that the author of Cabir did not wish to do financial harm to users. The author of Comwar, on the other hand, had no qualms about this whatsoever.

Although the technology that makes it possible to send malware via MMS is the most attractive to the authors of mobile malware, so far we've only seen the usual transformations performed on the original worm, with baby hackers changing file names and texts in the original files without making any changes to Comwar's functionality. This is due to the fact that the source code for Comwar has not been published and the script kiddies don't know the procedure used to send infected MMS messages.

Currently, we know of 7 modifications of this worm. Four of them include an "author's signature".

CommWarrior v1.0b (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distribute it in it's original unmodified form.

Comwar.b:

CommWarrior v1.0 (c) 2005 by e10d0r

CommWarrior is freeware product. You may freely distrib