Cabir
Cabir (also known as EPOC.cabir and Symbian/Cabir) is the name of a computer worm developed in 2004 that is designed to infect mobile phones running Symbian OS. It is believed to be the first computer worm that can infect mobile phones. When a phone is infected with Cabir, the message "Caribe" is displayed on the phone's display, and is displayed every time the phone is turned on. The worm then attempts to spread to other phones in the area using wireless Bluetooth signals.
The worm was not sent out into the wild, but sent directly to anti-virus firms, who believe Cabir in its current state is harmless. However, it does prove that mobile phones are also at risk from virus writers. Experts also believe that the worm was developed by a group who call themselves 29A, a group of international hackers, as a "proof of concept" worm in order to catch world attention. It failed to infect any of its targets.
The worm can attack and replicate on Bluetooth enabled Series 60 phones. The worm tries to sends itself to all Bluetooth enabled devices that support the "Object Push Profile", which can also be non-Symbian phones, desktop computers or even printers. Symantec reports that the worm spreads as a .SIS file installed in the Apps directory. Unlike actual PC worms, Cabir does not spread if the user does not accept the file-transfer or does not agree with the installation. F-Secure reports that some phones, at least, warn the user about a unverified supplier. So, like many other worms, this sample also needs a good portion of social engineering to reach its goal.
While the worm is considered harmless because it replicates but does not perform any other activity, it will result in shortened battery life on portable devices due to constant scanning for other Bluetooth enabled devices.
Newest Symbian OS threats:
Drever.A is a SIS file trojan that tries to disable Simworks Anti-Virus and Kaspersky Anti-Virus. Locknut.B is a new variant of Locknut trojan family, which disables phone so that it can be disinfected only with special disinfection tool.
- Drever.A is a malicious SIS file trojan that disables the automatic startup from Simworks and Kaspersky Symbian Anti-Virus softwares. Currently it is still unverified whether either of these softwares have protection against such attacks.
- Locknut.B is a malicious SIS file trojan that pretends to be patch for Symbian Series 60 mobile phones. When installed Locknut.B drops a binary that will crash a critical System component, that will prevent any application from being launched in the phone. Thus effectively locking the phone.
- Mabir.A Basically the Mabir.A is Cabir with added MMS functionality, both are written by the same author and have very similar code. So it seems that Mabir.A is based on Cabir source code. The Mabir.A spreads using bluetooth using the same routine as early variants of Cabir, when Mabir.A activates it will search for the first bluetooth phone it finds, and start sending copies of itself to that phone. If the phone Mabir finds goes out of range, the Mabir.A still seems to be locked on that.
- Frontal.A This is a SIS file trojan that installs a corrupted file which causes phone to fail at reboot. If user tries to reboot the infected phone, it will be permanently stuck on the reboot, and cannot be used before disinfecting. Currently the only known method of repairing the phone is to use the reformat key combination, which causes the phone to lose all data. And because of that, we are not writing the code here on the weblog. The Fontal.A is a trojan, and as such it does not spread by itself, not over bluetooth or any other channel. Most likely way to user to get infected would be to get the file from IRC or Peer to Peer fileshare and install it to the phone. So to avoid Fontal and other trojans, download files only from legal sources.
External links
- Financial Times Article (June 15, 2004)
- BBC Article (June 16, 2004)
- Symbian Press Release (June 18, 2004)
- Latest Symbian threats (March 18, 2005)