One was Trojan programs which are designed for financial gain. The first mobile Trojan was Mosquit. In fact, Mosquit.
This was the first malicious program to take advantage of the design faults of Symbian, which make it possible for any application to overwrite system files with their own files without prompting the user. Skuller replaced application icons with skull and crossbones, and also deleted application files. As a result, the handset would stop working once it had been switched off and switched on again.
Three new variants of Cabir appeared practically at the same time as Skuller. These new variants were not based on the source code of the original worm. By this time virus writers had got their hands on Cabir, and some of them did what script kiddies do: they renamed the worm files and replaced some of the text in the files with their own.
One variant added Skuller to the original archive. However, this was the first time that Cabir was used as a carrier for other malicious programs. By the beginning of , the main types of mobile malware had evolved, and were used by virus writers over the next eighteen months:. However, although there are only a few main types of behavior, in practice mobile malware comes in a variety of forms.
Kaspersky Lab is currently tracking 31 distinct mobile malware families. The table below shows the main characteristics for each family. However, it took computer viruses over twenty years to evolve, and mobile viruses have covered the same ground in a mere two years. Without doubt, mobile malware is the most quickly evolving type of malicious code, and clearly still has great potential for further evolution.
One of the main differences in the technology used in viruses for mobile devices and personal computers is that, although there are numerous mobile virus families, very few mobile viruses are truly original. This is similar to computer viruses in the late s. A multitude of malicious programs were based on just three viruses: Vienna, Stoned and Jerusalem.
Cabir served as the basis for a number of its own variants, which differ only in terms of the file names and the contents of the sis installation files. Cabir was also used as the basis for such seemingly dissimilar families as StealWar, Lasco and Pbstealer. In addition to worm functionality, programs from this family are capable of infecting files in the phone memory. A Brazilian by the name of Marcos Velasco, who calls himself a mobile virus expert, got hold of the source code for Cabir and began writing viruses.
During the last week of he sent several variants of Cabir that he had written to antivirus companies. Some of them were completely non-operational and all were categorized as Cabir variants. This did not please the author; in an attempt to become famous he created a variant of the worm that was also capable of infecting sis files.
This is how the Lasco worm came to be in antivirus databases. Luckily, the idea of infecting files was not further developed by virus writers, even though Velasco published the source code of his creation on his website. It is still not quite clear whether Cabir was actually used as a source for Lasco. According to Marcos Velasco, he wrote all the code independently, but the number of files, their names and operating principles are very similar to Cabir. It was created in Asia, probably in China, and was found on a hacked Korean website devoted to Legend of Mir, an online game.
The function that enabled the Trojan to send files via Bluetooth came from Cabir. However, authors of the Trojan made one important modification to the original code.
Until then cybercriminals used various vulnerabilities in the Bluetooth protocol to steal such information, e. This Trojan, however, greatly extended the possibilities available. And, of course, Cabir became the carrier of choice for a variety of other Trojans.
This sort of hybridization has led to significant difficulties in categorizing many malicious programs. We will discuss this in greater detail below.
A second landmark in the development of mobile malware was Comwar, the first worm to spread via MMS. Like Cabir, it can spread via Bluetooth, but MMS is the principal method used, making this worm potentially extremely dangerous. Bluetooth operates within a distance of 10 to 15 meters and other devices can be infected only if they are within this range. MMS has no boundaries and can be instantly sent even to handsets in other countries. The author of Cabir initially considered this idea, but chose Bluetooth for quite obvious from the viewpoint of 29A ideology reasons:.
The second reason is telling: it means that the author of Cabir did not wish to do financial harm to users. The author of Comwar, on the other hand, had no qualms about this whatsoever. Currently, we know of 7 modifications of this worm. In addition to the above, variant. This provides one more propagation method in addition to the traditional MMS and Bluetooth. It should be noted that so far Comwar has not spawned a multitude of other families.
As mentioned above, the reason for this is that its source code has not been published. Just like Cabir, it is used as a carrier for other Trojan programs.
Apparently, the only program using Comwar that can lay claim to having started a new family is StealWar. This is a worm that combines Cabir, Comwar and the Trojan Pbstealer.
This type of combination is highly dangerous and capable of spreading widely. This is all the more likely because there is already a serious known MMS handling vulnerability in Windows Mobile , which leads to a buffer overflow and the execution of arbitrary code.
Detailed information about the vulnerability will not be available to the general public until Microsoft releases the relevant update.
Comwar also contributed to the evolution of mobile malware with a technology implemented in variant. The worm conceals itself in the list of processes and is not visible in the standard list of applications currently running. Although the process can easily be discovered using other programs for viewing running processes, this masking method is nevertheless now being used in some other malicious programs for Symbian.
As mentioned above, Skuller is the most numerous family of mobile Trojans: by September 1st, we had seen 31 variants. This is not surprising, as these programs are the most primitive malicious programs for Symbian. Any person who can use a utility for creating sis files will be able to create a Trojan of this kind. The rest of the work is done by the vulnerabilities present in Symbian: it is possible to overwrite any files, including system files, and the system becomes very unstable when it comes across unexpected files i.
Most Skuller variants are based on two files, which we classify as Skuller. One of the main issues in contemporary mobile malware research is classification; specifically, labeling new samples correctly and grouping them into the appropriate classes that reflect their behavior. The main difficulty is that most new malicious programs for mobile devices are hybrids, containing functionality from two or more different types of malware.
There are few, if any, problems when it comes to the family name and variant ID. Occasionally it is difficult to choose a family name, but this is discussed in more detail below. Sometimes it is difficult to identify the environment. However, more and more frequently users are wanting to know which particular Symbian Series a particular piece of malware is coded for.
In our classification system for computer malware, we do identify the specific Windows version: Win16, Win9x, Win In terms of mobile malware, identifying the Symbian series is the least of our problems. Things get much more complicated when we examine Windows Mobile. For instance, there are viruses that were written for Windows CE We named this environment WinCE. However, malware written for Windows Mobile 5.
Mobile and Pocket PC both use a set of functions which are also used by Windows CE, but then have their own specific applications and peculiarities.
As a result, it is very difficult to use the existing classification system to give a specific piece of malware a precise name that reflects its behavior. Additionally, a number of viruses require that. In such cases, we use the designation MSIL for the environment, which does not underline the fact that the malware was coded for mobile devices. Confused yet? This is just the tip of the iceberg.
The most complicated part of naming mobile malware is choosing the behavior. This is where serious complications are caused by hybridization, as well as cross platform mobile malware and the different naming conventions used by different antivirus vendors. Let us assume that we have a certain sis file which in essence is an archived installer.
Based on our current classification system, we would call this a Trojan-Dropper. But not in this case! Cabir, once installed, will send the sis file via Bluetooth. Does this mean the sis file is a worm? And if so, what do we call it? Naming it Cabir would only confuse users. What about Skuller, Locknut or Cardtrap? But none of these names alone are applicable, since the new sample is a hybrid. As a result, the sis file is most likely to be called a Trojan and given a family name of an existing family from our collection.
This name will be chosen on the basis of secondary traits, such as being written by the same author. Velasco runs a small software development company, dotes on his collection of aging computers which he says he may open to the public one day , and dreams of writing a book on viruses. In the last few weeks, Mr. Velasco's worms have been cataloged in all the major encyclopedias maintained by antivirus companies - from Symantec in Cupertino, Calif.
All classify the virus, like the four or five other known mobile viruses that have emerged over the last year, in the relatively benign "proof of concept" category, meaning that it is currently a low-level threat. Indeed, Mr. Velasco's worm carries no malicious payload.
Still, it represents a significant improvement of sorts over what was largely viewed as the first cellphone virus, called Cabir, thought to have been developed last summer by an international virus-writing collective known as "29A. Cabir, which also took advantage of Bluetooth technology, was able to sniff out other active Bluetooth devices and, if it found one in the typical transmission range of about 11 yards, a user of the receiving device would see a cryptic installation message.
If they unknowingly accepted, the virus would have successfully propagated. But Cabir was limited to one "jump" for each boot-up, not the most efficient way to spread. Velasco repaired that shortcoming and published the improved version on his Web site in December. Then he recompiled the source code to come up with more polished variations that could both exploit the Bluetooth protocol and burrow into a device's system files - waiting to be uploaded by other means, via memory cards or cable links, for instance.
Then he posted those, too. Hypponen of F-Secure said. Velasco's Cabirs are actually much more virulent than the original Cabirs made by 29A, and the Lasco. A virus by him is the first mobile phone virus infecting installation files. All the Cabir and Lasco variants aim at devices using a version of the Symbian operating system, which is collectively owned and licensed by companies including Nokia , Ericsson and Samsung. Until recently, the much-discussed but little-seen mobile phone virus had been hampered by the relatively small market penetration of truly "smart" devices - less than 5 percent of the mobile market over all, according to the research firm Canalys.
Smart devices are those that marry data-rich and virus-vulnerable services like Web browsing, scheduling, e-mail and text messaging, as well as plain old phone service. And the variety of platforms and interfaces running on these machines has thus far rendered them something of a moving target for would-be writers of malicious code.
But Symbian-based devices made big gains in the mobile market in , according to data compiled by Canalys. In the third quarter of , the three major platforms each made up about a third of all smart mobile shipments. In the quarter, Symbian-based devices grew to half of all new shipments. And on Wednesday, Symbian announced its entry, along with PalmSource, into the Open Mobile Terminal Platform group, an organization of mobile phone operators that seeks to bring more interoperability and consistency to the forest of mobile devices on the market.
These are the kinds of preconditions - market penetration, uniformity - that, according to Mr. Pescatore, will be needed to pique the interest of would-be scammers, hackers and virus writers. And in that sense, Mr. Velasco's exploits are something of an early object lesson. Pescatore said, "that is the year to start planning how to prevent this," adding that the real threat will come if virus technicians figure a way to reliably deliver payloads not via the short-distance radio frequencies used by Bluetooth, but by raining them down through the cellular networks.
For now, though, the problem is only about as big as Mr. Velasco - though for many, that is big enough. Other antivirus companies that have downloaded Mr. Velasco's creation and tested it in their labs corroborate the basic functioning of the worm. And while they, too, see it as a relatively benign bit of code in its own right, it suggests the potential for more aggressive worms that might destroy or steal data, generate hidden and expensive phone calls, or render a mobile device inoperable.
But this signals that this is what is possible. That's the real risk from this publication. All the major antivirus vendors offer an inoculation for the Lasco virus on their Web sites - as does Mr.
0コメント