In this excerpt of Chapter 9 from The Art of Computer Virus Research and Defense, author Peter Szor dissects the Cabir worm.
The SymbOS/Cabir worm indicates a totally new era of computer worms that will
slowly become more popular as wireless smart phones replace current mobile
phone systems, which have limited programming ability. The Cabir worm
appeared in June 2004, and it has a number of unique features. This worm can run
on Nokia 60 series phones running the Symbian operating system. The Symbian
operating system is based on the EPOC. In fact, Symbian is EPOC version 6, also
called EPOC32, but has a new name.
Interestingly, the Cabir worm spreads using the Bluetooth feature of wireless
phones.
The worm's code is compatible with mobile phones using ARM series processors
with Symbian operating system. Normally, by default the Bluetooth communication
feature is off on mobile phones. Mobile phone users might exchange some
little programs, and in doing so they open up the Bluetooth communication channel
to Cabir-like worms as well.
When executed, Cabir installs itself into several directories of the Symbian OS
intending to make sure it will run each time the user boots the phone. Fortunately,
this operation is disallowed in newer phone models. However, on older phones,
worm components cannot be easily found without using custom file manager
applications. Cabir does not enumerate Bluetooth devices; instead, it tries to find
only the first such device and communicates with that device. The standard
Bluetooth range is about 30 feet, and apparently not all Bluetooth devices like to
communicate with each other. (However, researchers such as Mark Rowe are experienced
with Bluetooth signal amplification and pointed out that attackers could
utilize such technology to extend the Bluetooth range to about 300 feet, reliably.)
In addition, researchers such as Ollie Whitehouse of @stake also demonstrated
that Bluetooth devices are discoverable even in the so-called "non-discoverable"
mode. Several Bluetooth-related attack tools exist today including the most popular
Bluesniff, Btscanner, PSMscan and Redfang.
During the natural infection tests, Cabir first talked to a Bluetooth printer,
which strangely acted as a "sticky" honeypot system and blocked the worm given
that the printer did not support the Object Exchange (OBEX) protocol that is
required to send a file. However, the worm successfully infected another phone as
soon as I turned the Bluetooth printer off. Cabir is overly active in finding other
phones and that can easily drain the battery of the phone similarly to natural
situations when your phone is hopelessly attempting to find a provider without
finding one in range.
A further problem is that you need to "hide" with mobile phones when you
test replicate worms. Although the recipient needs to accept the incoming message
to successfully receive the message, you do not want to infect another phone
"by accident." In fact, there are several known vulnerabilities of Bluetooth systems,
and some of these can be utilized to execute arbitrary code on Pocket PC devices,
while others can be used to implement phishing attacks on a number of smart
phones types.
Sure enough, in the future you can expect that worms are going to make
phone calls from your mobile phone instead of you. There might be a new era of
MMS- (Multimedia Messaging Service) based mass mailer worms as well as SMS-
(Short Messages Services) based downloaders, porn dialers and spammer applications,
as well. Who is going to pay the bill?
Download Chapter 9, Strategies of Computer Worms.
