Like a moth emerging from its cocoon, the original mobile phone worm Cabir has evolved from proof-of-concept program to an altogether more harmful and fast-spreading variant in just six months. The most recent step is the posting of the original source code on the internet by the virus authoring group 29a, which could lead to a host of other harmful versions being developed and unleashed.
New strains of Cabir have been developed in subsequent months, enabling the worm to spread and infect more rapidly and also to take on a more destructive character. With further mobile malware already in the wild, the addition of a Cabir blueprint could open a new and very unsavoury can of worms.
The metamorphosis
To recap then, what exactly is the Cabir worm, and what does it do? Cabir disguises itself as a Symbian utility called 'Caribe Security Manager' and is sent in Symbian's .SIS file format. If the user accepts the file, Cabir activates. It causes the display to show "Caribe" each time the handset is turned on, and will trigger the infected phone to search for nearby Bluetooth-enabled devices to pass itself along. Cabir shares the highly infectious nature of conventional worms. When F-Secure analysed the sample of Cabir that it received from the authoring group 29a, tests of its infectious capabilities had to be done in the company's shielded bomb shelter, to prevent the worm from connecting to other Bluetooth phones and spreading.
A subsequent version has corrected previous flaws in the worm, enabling Cabir to infect not one handset at a time but any and every vulnerable Bluetooth-enabled phone within range, leading to mushroom-bomb style infection in crowded areas such as trains, offices and restaurants. Phones potentially at risk run the Symbian 60 system and include top-end handsets by Nokia, LG, Lenovo, Panasonic, Samsung, Sendo and Siemens.
A new breed
In December last year we witnessed Cabir being used as a means of propagation of the Trojan, Skulls. Skulls is distributed on some Symbian shareware download sites as "Extended Theme Manager" by "Tee-222" and once installed makes the smartphone features of the phone useless by deactivating messaging, internet access and other applications. The phone also becomes infected with the Cabir virus, which then scans for other vulnerable phones using Bluetooth wireless technology and sends a copy of itself to the first vulnerable phone it finds. Application icons become replaced by pictures of skulls, hence the name.
How Cabir will evolve further remains to be seen, but with the source code now available on the web new variants will almost certainly emerge soon.
The great unknown
While the threat and risk of viruses on desktop PCs is well known, there is precious little awareness of the potential dangers in using mobile phones. Users today trade messages and download ring tones, multimedia clips and games with impunity – and without the protection of anti-virus tools that PC users depend upon.
The mobile market is growing at a ferocious rate, with more than a billion phones in circulation worldwide and ever-new technology and products appearing on the market. Yet with this growth comes an ever-greater threat from would-be virus writers. The advantages gained as devices become increasingly inter-operable and communicative may be tempered by the development of viruses which could soon spread wirelessly across platforms – for instance, from PC to phone and back to PC again, multiplying the risk of an infection from any one source.
With the source code for the Cabir worm now made public, the way has been paved for new variants to be developed, which could spread, infect and cause disruption en masse.
While device manufacturers scramble to neutralise the new threat, consumer education clearly needs to step up quickly to this and other emerging menaces.
Protect and serve
So how do we guard against these attacks? The emerging mobile virus threat calls for new measures from software vendors, service providers and users of mobile devices.
Mobile phone manufacturers are starting to include anti-virus software on their handsets as standard, as usage becomes increasingly diverse and global. Content security for mobiles needs to follow current best practice in conventional networking. On-device solutions such as the Symbian Series 60 version of F-Secure Mobile Anti-Virus, detect the Cabir worm and are able to delete the worm components.
A mobile handset, like a PC, will need anti-virus software to monitor for viruses distributed and propagated via the device and a personal firewall to protect against internal and external attacks on the handset. What's more, the mobile infrastructure itself will need gateway-level scanning to protect back-end networks that communicate against attacks and vulnerabilities.
Responsibility also lies with the consumer. How many Bluetooth phone owners, for instance, know how to switch their phone to 'non-discoverable' mode – a basic protection against the Cabir virus as well as data theft?
Advances in mobile technology will inevitably bring an increased danger from spammers and virus-writers. Mobile anti-virus technology will be a key weapon in combating the threat from malware such as Skulls and the ever-changing Cabir worm.
