Information

The following is a guest post by email. This is the third part in a series of articles on his view of hacking. If you are interested in writing for CyberCROW, click Here. Otherwise, Enjoy.

Saturday, November 6, 2010

Symbian Cabir Virus

Posted by glewoCROW 2:19 AM, under ,, | No comments

On June 14, 2004, a well-known Spanish virus collector known as
VirusBuster, who had close links with some virus writers, sent a message
to newvirus@kaspersky.com. The message had a file called caribe.sis
attached. A quick analysis showed that it was
an application for Symbian OS and also an installer archive containing
other files. As a rule, virus analysts deal with files created for
traditional x86 processors. The files in caribe.sis were applications
for ARM, processors which are used in a range of devices, including
mobile phones. Initially, we knew very little about the machine language
used by that processor, but within a few hours our analysts had managed
to familiarize themselves with it. The purpose of the files was then
clear: this was a worm for mobile phones which spread via Bluetooth.
Our conclusions were fully confirmed the next day when we tested the
worm on a Nokia N-Gage telephone running Symbian.

The worm was written by someone going under the name of Vallez. As
far as we know, he lives in France and was, at the time, a member of a
group of virus writers called 29A. The groups aim was to create
proof-of-concept virus code for non-standard operating systems and
applications. Back in June 2004, the
objective was to create a malicious program for smartphones. The author
also chose a non-standard replication method - analysts are used to
worms which spread via email, and Cabir could have been expected to
propagate in the same way, given that Internet connectivity and email
are two of the main features of smartphones. However, the worms author
chose Bluetooth instead; an approach that turned out to be key.

Cabir is coded for the Symbian operating system, which was, and
remains, the most commonly used operating system in mobile phones. This
marker leader position is due largely to the fact that all smartphones
produced by Nokia are Symbian-based. In fact, Symbian+Nokia is currently
the standard smartphone combination, and it's going to take Windows
Mobile a long time to win a significant share of the market from
Symbian.

The appearance of Cabir confirmed the law of computer virus
evolution. In order for malicious programs targeting a particular
operating system or platform to emerge, three conditions need to be
fulfilled:

  1. The platform must be popular. Symbian was and remains the most popular platform for smartphones, with tens of millions of users throughout the world.

    Symbian could be a very extended
    operating system used in mobile phones in the future. Today is the more
    extended and in my opinion it could be more yet (M$ is fighting too for
    being into this market too).”



  2. There must be well-documented development tools for the application.

    3. Caribe was written in c++. Symbian/nokia is giving us a complete sdk for developing applications for symbian operating system.”

  3. The presence of vulnerabilities or coding errors.
    Symbian includes a number of faults, by design, in the system that
    handles files and services. In the case of Cabir these faults were not
    exploited, but most of todays Trojans for smartphones take full
    advantage of them.


Cabir immediately attracted the attention not only of antivirus
companies, but of other virus writers as well. The latest issue of
29A's webzine was eagerly awaited, with the expectation that the group
would, in accordance with tradition, publish the worms source code.
Naturally, the publication of the source code would lead to the
emergence of new, more harmful variants of the worm: this is what always
happens when script kiddies gain access to such technologies. However,
petty cyber criminals can be capable of doing a lot of damage even
without access to original source code.

0 comments:

Post a Comment