SEMINAR REPORT

ON

“MOBILE VIRUSES”

Submitted by

Mr.Parag .A. Kadu

Guided by

Prof.Mrs.R.V.Pawar

Department of Computer Engineering,

VIT, Pune

2006-2007
 CERTIFICATE

This is to certify that, seminar work entitled

“MOBILE VIRUSES”

Has been duly completed by

Mr.Parag .A. Kadu

In satisfactory manner as per the syllabus

Prof Mr.S.N.Mali Prof.Mrs.R.V.Pawar

H.O.D Guide

Department of Computer Engineering

Vishwakarma Institute of Technology, Pune.

2006-2007
 ACKNOWLEDGEMENT

Acknowledgement is a small bouquet for appreciation and gratitude

towards those whose help; guidance and critism led my seminar to utter

success.

I take this gracious opportunity to express my profound gratitude towards guide

Prof.Mrs.R.V.Pawar, for his precious guidance through my seminar works.

I extend my thanks to Prof.Mr.S.N.Mali H.O.D Dept. of Computer Engg.

for his kind support

I also obliged to all Prof. and my colleagues for their help.

Mr.Parag .A. Kadu

(TE-comp)
 ABSTRACT

As the title suggest this seminar deals mainly with the viruses that have affected mobile
phones, so far. The seminar gives an introduction to:

1) What are viruses?

2) What are the new mobile Technologies?
3) What is symbian Operating system (O.S.)?
4) Which are the mobile viruses found?

It also contains an in depth discussion of a few Viruses, Worms, Trojan horses

that prevailed for a longer time creating a havoc. Those discussed are

1) Cabir
2) Phage
3) Skulls
4 Mosquitos etc.

It also mentions the cell phones, which are prone to these viruses, and companies
that have already started creating antivirus softwares to overcome them.

Seminar aims at creating awareness among huge users, to be cautious while using
mobiles and to use anti-virus for the same. And also the need of more effective and
efficient anti-viruses.
 CONTENT

Chapter Page No.

1 Introduction............................................................ 1

1.1 Platforms for Wireless Devices………………........1

1.1.1 Palm OS………………………………..........2
1.1.2 EPOC32/Symbian OS…………………........3
1.1.3 Windows CE ……………………………......3
1.2 Overview of Threats and Potential Damage............3
1.2.1 Applications Based Threats.............................4
1.2.2 Contents Based Threats...................................4
1.2.3 Mixed Threats.................................................4
2 Viruses: Know Your Enemy...............................5

2.1 What are Viruses?....................................................5

2.2 How Viruses Work?...............................................5

2.2.1 File/Parasitic viruses.......................................6

2.2.2 Boot Sector Viruses........................................6

2.2.3 Multipartite viruses........................................6

2.2.4 Network viruses............................................7

2.2.5 E-mail viruses...............................................7

2.3 Other Malicious Softwares....................................7

2.3.1 Trojan Horse................................................7

2.3.2 Worms.........................................................7

3 Mobile Technologies ....................................8

3.1 Growth of Mobile Users....................................8

3.2 Different Technology Used In

Mobile Communication....................................9
3.2.1 CDMA Technology...................................9
 3.2.2 GSM Technology.....................................10
3.2.3 GPRS Technology....................................11
3.3 Wireless Technology......................................11
3.3.1 What is Bluetooth?...................................11
3.3.2 How did the Name Originate?..................12
3.3.3 Why Bluetooth?........................................12
3.3.4 Applications of Bluetooth in Mobiles.......12
3.4 Infrared (IR)......................................................12
4 Symbian OS ...................................................13

4.1 What is Symbian OS?......................................13

4.2 Why a Different OS?.......................................13

4.3 Symbian OS V 8.0..........................................14

4.4 Symbian OS V 9.0..........................................15

5 Mobile Viruses: A Growing Threat........16.

5.1 The First Virus.......Cabir................................16

5.1.1 Aliases ...................................................16

5.1.2 Cabir.........................................................16

5.1.3 Threats......................................................17

5.1.4 Arrival and Installations...........................18

5.1.5 Symptoms.................................................20

5.2 Duts1520.........................................................20

5.2.1 Aliases.......................................................20

5.2.2 Size...........................................................20

5.2.3 Duts...........................................................20

5.2.4 Duts Message............................................21

5.3 Bloomsday.......................................................22

5.4 Timofonica........................................................22
 5.5 Lasco................................................................23

5.6 Skulls...............................................................24

5.7 Mosquitos Trojan.............................................25

5.8 Commwarrior...................................................25

5.9 Phage...............................................................26

5.10 Vapor...............................................................26

5.11 Future Possibilities..........................................26

6 Intentions of Virus Writers........................ 27

7 Deploying Your Defence: Anti-Virus...... 28

7.1 Current Infrastructure........................................28

7.2 Problems in Making Anti-Viruses...................29

7.3 How to Protect Your Phone?...........................30

8 Precaution Better Than Cure...................... 31

9 Bibliography........................................................32

10 Glossary................................................................33
 LISTS

Abbreviations:
PDA Personal Digital Assistant
ROM Read Only Memory
RAM Random Access Memory
OS Operating System
CPU Central Processing Unit
PE Portable Executable
CF Compact Flash
API Application Program Interface
PCS Personal Communication System
MTSO Mobile Telecommunications Switching Office
GPS Global Positioning System
CDMA Code Division Multiple Access
GSM Global System for Mobile Communication
GPRS General Packet Radio Service
MMS Multimedia Messaging Service
SMS Short Messaging Service
IR Infrared Service
MSC Mobile Switching Service
 CHAPTERS

Chapter Page No.

1) Introduction..............................................................................1

2) Viruses: Know Your Enemy....................................................5

3) Mobile Technology..................................................................8

4) Symbian OS.............................................................................13

5) Mobile Viruses: A Growing Threat.........................................16

6) Intentions of Virus Writers......................................................27

7) Deploying Your Defence: Anti-Virus.....................................28

8) Precaution Better Than Cure...................................................31

9) Bibliography............................................................................32

10) Glossary.................................................................................33
 CHAPTER 1

INTRODUCTION

Until a few months ago, we were using mobile phones with closed operating
systems having a little number of passive, pre-built functionalities. They were limited-
ability devices, like our television sets, and did just what they were programmed for.
They lacked an environment to support executables, and therefore, restricted entry to
viruses as well as third-party functionality-enhancement programs. Things have changed
now. Java and .net enabled handsets running on smart, powerful operating systems such
as Windows Mobile and Symbian are getting popular among functionalities-savvy users.
The Windows environment is traditionally known for attracting virus writers
and latest programming languages from Microsoft and Sun Microsystems have made it
possible for users to run outside executables on their phones, to enhance their features.
Nokia, handsets of which were targeted by Cabir, the proof-of-concept virus, is among
the early adopters of Java technology. Motorola has also demonstrated mobile phones
fully enabled with Java programming language. Not to be left behind, Microsoft has also
started shipping its Smartphones offering convenient Windows like environment on
mobile devices that allows users to surf the Internet, use email and instant messaging as
well as listen to music. The IT giant has also partnered with HP to create the HP iPAQ
h6315, the first Windows Mobile-based Pocket PC Phone Edition device with integrated
WiFi capabilities.
Surly, these are great gadgets that will revolutionize our mobile devices from
being mere communication tools to super-charged, multi-utility, intelligent little
workhorses having awesome computing power. But they have opened a world of
possibilities for destructive minded, as proved by the hacking group 29A by creating a
proof of concept WindowsCE.Duts virus. Ellen O’Gormon at Microsoft Mobile Security
believes that even though the threat of viruses is real, they will be able to tackle it. He
says, “Windows Mobile-based devices offer, through a combination of built-in
functionality and third-party software and peripherals, security options similar to laptop
PCs that include support for strong passwords, authentication and encryption. In addition,
Windows Mobile-based devices also can take advantage of security technology inherent
in other Microsoft products.”
1
 Although, this has many long lasting benefits the dark side has now surfaced.
Many of these handheld devices are potentially susceptible to some form of malicious
code that could render them non-functional. This claim will be supported by the following
seminar, which looks into history of viruses and their effects on cell phones.
Although malicious code has yet to cause serious damage or incur substantial
costs in the wireless arena, such code seen in the lab and in some real cases
Has indicated that this undesirable code has the potential for serious disruption to the
wireless infrastructure.
The early handheld viruses spread slowly, since most PDAs were not wireless-
enabled. However, with the growing prevalence of handheld wireless functionality, the
threat grows as well. In fact, the modern Windows Mobile device has most of the
ingredients for viral spread, such as a processor, RAM, writable memory, Pocket
Microsoft Word, and even a Pocket Outlook mail client. Worse, unlike their desktop
counterparts, security measures such as firewalls and virus scanners for handhelds are not
widely used. Combine all this with an unsecured wireless link, and the potential for viral
spread multiplies. The future may be even worse. With distributed programming
platforms such as .NET, combined with Microsoft's Windows Mobile platforms, such as
Pocket PC and Smart phone, the potential for viruses is even greater.

1.1 Platforms for wireless devices:

1.1.1 PalmOS:
The leading platform for handheld computing devices is Palm OS. The
file system is optimized for synchronization with a primary device (the desktop computer)
and for the limited storage area available. Data is stored in memory blocks called records.
Related records are grouped in databases. Palm devices consist both of RAM and ROM.
The ROM generally holds the operating system and newer versions of Palm devices allow
for flashing of the ROM to potentially update system files and can also utilize flash cards
for additional memory or functionality. They use the latest Motorola 68k Dragonball
series CPU.

2
1.1.2 EPOC32/Symbian OS:
EPOC runs on 32-bit CPU. Applications are generally developed
under Windows initially in PE (portable executable) format using the EPOC emulator,
recompiled for the ARM architecture and then transferred to the EPOC device. For
storage, Psion devices comprise ROM, RAM and optional CF (Compact Flash) cards.
The ROM contains the operating system as well as all the built-in applications and
middleware. Files located on the Psion ROM are executed in place. The RAM contains
the additional applications stored by the user, active programs, and the active copy of the
system kernel. Hardware resources such as the system RAM are isolated from
applications via a privilege boundary. Running under privileged mode, the kernel controls
all of the device’s hardware resources. All other user-mode applications that need access
to hardware resources must access them via the kernel.
Four of the six basic virus types so far have been written for the
Symbian operating system and two for Microsoft-powered devices. There are about 20
million phones with the Symbian system in operation now, versus the total 1.7 billion
mobile phone users last year.
Symbian was more targeted than others because it was emerging as a leader
in operating systems for advanced phones able to surf the Internet and make wireless
connections with other phones via Bluetooth. Virus writers always target the biggest
system.

1.1.3 Windows CE:

Windows CE was designed to be an operating system that contained a
subset of the Win32 API with potentially reduced hardware resources. While source code
is generally the same when developing a Windows CE application, there are many
hardware devices with different CPUs, which can utilize Windows CE.

1.2 Overview of Threats and Potential Damage:

On the surface, the vulnerability (Easily Harmed) of wireless devices to
viruses and malicious code threats appears to follow the same patterns of vulnerabilities
that the wired world has experienced. Yet, upon closer inspection, the vulnerabilities are
more numerous and complex and can be categorized into three groups:
3
• Application-based threats
• Content-based threats
• Mixed threats
1.2.1 Application-based Threats:
Application-based threats are posed by executable malicious code that
latches on to existing, or new, wireless applications. The first malicious application-based
program that specifically targeted the Palm operating system (OS) used in Palm Pilot
personal digital assistants (PDAs) was Liberty Crack.

1.2.2 Content-Based Threats:

In content-based threats, the content (e.g., derogatory messages) is the threat,
or malicious use of the content is the threat (e.g., spamming of email). While email has
become the “killer app” of the wireless world, it is also one of the most vulnerable to
attack. Hence, the most common content-based threats to the wireless infrastructure occur
through infected email or spam mail. Another potential content-based threat that may
soon enter the wireless world, as wireless devices become more sophisticated over time,
is the embedded script virus or worm. Prior to the first observation of this class of viruses,
viruses could be contracted only through email by double clicking on an infected email
attachment. With the discovery of embedded script viruses, such as the VBS_Kakworm
and VBS_Bubbleboy, viruses can now infect a user’s system when the email is opened.

1.2.3 Mixed Application/Content-Based Threats:

The third type of threat is worse than the previous two types combined. While
not yet seen in the wild or even in the laboratory, a threat that integrates techniques from
both of these threat types could be formidable indeed. Imagine a virus that involved the
unwitting (Unknown) download of sophisticated malicious code attached to a shareware
program that wiped out wireless device applications and propagated itself rapidly across
the wireless infrastructure via address books of email. Such a virus could cause damage to
each device it encountered and spread across a country, or across the world, overnight.
Most antivirus companies, including F-Secure, Trend Micro, and Symantec,
offer antivirus software for mobiles that can detect the new versions of Cabir.
4
 CHAPTER 2
VIRUSES: KNOW YOUR ENEMY

The first program which showcased properties of what we now

Call viruses was called Elk Cloner in 1981.
2.1 What are viruses?
You need to know your enemies before you can attempt to defeat
them .It is a program or piece of code that is loaded without your knowledge and runs
against your wishes. Viruses can also replicate themselves. All viruses are manmade. A
simple virus that can make a copy of itself over and over again is relatively easy to
produce. Even such a simple virus is dangerous because it will quickly use all available
memory and bring the system to a halt. An even more dangerous type of virus is one
capable of transmitting itself across networks and bypassing security systems.
A mobile phone virus is a computer virus specifically adapted for
the cellular environment and designed to spread from one vulnerable phone to another.
While doing so, it could a world of damage, which could cost you dear. The damage
could consist of files destroyed, corrupted data, slow performance, interrupted or
unexpected closing of important programs.

2.2 How viruses work?

There are thousands of viruses out there and new ones are
discovered everyday. It is difficult to come up with a generic explanation of how viruses
work. So we will see some broad categories of them, which are used to describe various
types of viruses.

5
2.2.1 File Viruses (Parasitic Viruses)
 File viruses are pieces of code that attach themselves to executable
Files, driver files or compressed files and are activated when the host program is run.
After activation, the virus may spread itself by attaching itself to other program in te
system, and also carry out the malevolent activity it was programmed for. Most file
viruses spread by loading themselves in system memory and looking for any other by
loading themselves in system memory and looking for any other programs located on the
drive if it finds one, it modifies the program so that it contains and activates the virus next
times it runs .it keeps doing this repeatedly.
Besides spreading themselves, these viruses also carry some type
of ‘trigger’. The trigger could be a specific date, or the number of times the viruses has
been replicated, or anything equally trivial.

2.2.2 Boot sector viruses

A boot sector virus affects the boot sector of a disk, which is very
crucial part used for booting of operating system. By inserting its code into the boot
sector, a virus guarantees that it loads into memory during very boot sequence.
A boot virus doesn’t affect files; instead, it affects the disks that contain
them. Though boot viruses still exist, they are rare compared to new age malicious
software. Another reason why they are not so prevalent that OS today protect the boot
sector, which makes them to thrive.
2.2.3 Multipartite Viruses
Multipartite viruses are combination of both boot sector and file
viruses. These viruses come in through infected media and reside in memory. They then
move on to boot sector of the disk. From there, the virus infected executable files on the
disk and spread across the system.
2.2.4 Network viruses
This kind of virus is proficient quickly spreading over internet.
Usually it propagates through shared resources. Once it infects a new system, it searches
for potential targets by searching the network for other vulnerable systems.
Mobiles are affected mostly due to Network virus, because of
increasing use of Bluetooth, infrared and internet.
6
2.2.5 Email Viruses
An email virus spreads to all the contacts located in the host’s email address
book. If any of the e-mail recipients open the attachment of the infected mail, it spreads to
the new host’s address book contacts and then proceeds to send itself to all those contacts
as well.

2.3 Other Malicious Softwares

New Age computing has brought about a new breed of malicious softwares.
Today the term ‘virus’ has become generic term used for all the different ways that your
can be attacked by malicious software. Here are some new problems faced today.
2.3.1 Trojan Horses
The biggest difference between a Trojan and a virus is that Trojan’s
don’t spread themselves. Trojan horses disguise themselves as useful software available
for download on the internet and native users download and run them only to realize their
mistake later.
A Trojan horse is usually divided into two parts- a server and a client. It’s
the client that is cunningly disguised as important software and placed in peer-peer file
sharing networks, or unofficial download sites. Once the client runs on your system, the
server side has control over your system, which can lead to devasting effects
2.3.2 Worms
Computer Worms are programs that reproduce and run independently,
and travel across network connections. The main difference between viruses and worms
is the method in which they reproduce and spread. A virus is dependent upon a host file
or boot sector, and the transfer of files between machines to spread, while a worm can run
completely independently and spread of its own accord through network connections.
The security threat of worms is equivalent to that of a virus. Worms are
capable of doing a whole range of damage such as destroying files in your system,
slowing it to a great extent, or causing programs to crash.
7
 CHAPTER 3
MOBILE TECHNOLIGIES

3.1 Growth of Mobile Users

The evolution of radio and mobile core network technologies over the
last two decades has enabled the development of the ubiquitous personal communications
services (PCS), which can provide the mobile user with voice, data and multimedia
services at any time, any place and in any format, to paraphrase the definition of
Encyclopedia Britannica.
Ubiquitous service to roving users, low subscriber terminal costs and
services fees, and compact, light weight and unobtrusive personal portable units. How
popular wireless communication has become in less than a decade of accelerated
deployment can be attested to by the size of the market, as well as the capitalization and
the penetration of cellular technologies worldwide. Cellular radio provides mobile
telephone service by employing a network of cell sites distributed over a wide area. A cell
site contains a radio transceiver and a base controller, which manages, sends, and receives
traffic from the mobiles in its geographical area to a cellular telephone switch. It also
employs a tower and its antennas, and provides a link to the distant cellular switch called
a mobile telecommunications switching office. This MTSO places calls from land based
telephones to wireless customers, switches calls between cells as mobiles travel across
cell boundaries, and authenticates wireless customers before they make calls. The over
all growth of mobile users is an indication of the popularity of this system.
8
3.2 Different Technology Used in Mobile Communication

3.2.1 CDMA (Code Division Multiple Access) Technology

The world is demanding more from wireless communication technologies
than ever before. More people around the world are subscribing to wireless services
and consumers are using their phones more frequently. Add in exciting Third-
Generation (3G) wireless data services and applications - such as wireless email,
web, digital picture taking/sending and assisted-GPS position location applications -
and wireless networks are asked to do much more than just a few years ago. This is
where CDMA technology fits in. CDMA consistently provides better capacity for
voice and data communications than other commercial mobile technologies, allowing
more subscribers to connect at any given time, and it is the common platform on
which 3G technologies are built. CDMA is a "spread spectrum" technology, allowing
many users to occupy the same time and frequency allocations in a given band/space.
As its name implies, CDMA assigns unique codes to each communication to
differentiate it from others in the same spectrum. In a world of finite spectrum
resources, CDMA enables many more people to share the airwaves at the same time
than do alternative technologies. The CDMA air interface is used in both 2G and 3G
networks CDMA is the fastest growing wireless technology and it will continue to
grow at a faster pace than any other technology. It is the platform on which 2G and
3G advanced services are built.
 9

3.2.2 GSM (Global system for mobile communication) Technology

GSM is a globally accepted standard for digital cellular
communication. GSM is the name of a standardization group established in 1982 to create
a common European mobile telephone standard that would formulate specifications for a
cellular radio system operating at 900 MHz.

The GSM network can be divided into three broad parts. The
subscriber carries the Mobile Station. The Base Station Subsystem controls the radio link
with the Mobile Station. The Network Subsystem, the main part of which is the Mobile
services Switching Center (MSC), performs the switching of calls between the mobile
users, and between mobile and fixed network users. The MSC also handles the mobility
management operations. Not shown is the Operations and Maintenance Center, which
oversees the proper operation and setup of the network

3.2.3 (GPRS) General Packet Radio Service

A packet-based wireless communication service that provides

continuous connection to the Internet for mobile phone and computer users.
In response to customer demand for wireless Internet access and as a
stepping-stone to 3G networks many GSM operators are rolling out general packet radio
service (GPRS). This technology increases the data rates of existing GSM networks,
allowing transport of packet-based data. New GPRS handsets will be able to transfer data
at rates much higher than the 9.6 or 14.4 kbps currently available to mobile-phone users.
Unlike circuit-switched 2G technologies, GPRS is an "always-on"
service. It will allow GSM operators to provide high speed Internet access at a reasonable
cost by billing mobile-phone users for the amount of data they transfer rather than for the
length of time they are connected to the network
 10

3.3 Wireless Technologies in Mobiles

3.3.1 What is Bluetooth?

Bluetooth is the name given to a new technology standard using short
range radio links and is essentially a protocol for wireless connectivity of diverse set of
devices ranging from Personal Digital Assistant (PDA), mobile phones, laptops to
cooking ovens, fridge, thermostat etc. in a home like environment. Bluetooth came out of
the womb of Swedish Telecommunications giant Ericsson who in 1994 had taken up a
study for the feasibility of a low-power, low-cost radio interface for eliminating cables
between mobile phones and their accessories.
 11
3.3.2 How did the name originate?
The name of Bluetooth comes from the Dutch ruler “Harald Bluetooth”
in late 900A.D who ruled greater part of Denmark and Norway during his reign.
Choosing this name for the standard is a testament to the importance of the companies
from the Baltic region to the communications industry.

3.3.3 Why Bluetooth?

1) It is wireless
2) low-power
3) It is inexpensive
4) Usability anywhere in the world
5) Used for voice as well as data transmission
6) Omni-directional i.e. no line of sight required.
7) Transmission speed up to 780 kbps.

3.3.4 Applications of Bluetooth in Mobiles

1) Wireless headsets for mobile phones.
2) Bluetooth enabled Personal Digital Assistant (PDA), mobile phones etc.
For synchronizing information with PC.
3) Transferring data on to mobile devices from PC.
4) Wireless mobile gaming.
3.4 IR (Infrared )

The use of devices that convey data via infrared radiation; employed in certain
limited-range communications and control systems. But nowadays infrared is not used
much because of its line of sight requirement and slow speed.

12
 CHAPTER 4
SYMBIAN OPERATING SYSTEM

4.1 What is Symbian OS?

Symbian OS is the global industry standard operating system for smart
phones, and is licensed to the world’s leading handset manufacturers, which account for
over 85 per cent of annual worldwide mobile phone sales.

The Symbian OS led the global smart phone market with a 62.8 percent share
at of the end of the second quarter, followed by Microsoft at 15.9 percent and Palm
Source with 9.5 percent, according to industry researcher Canalys.com.

4.2 Why a different operating system?

Mobile phone is not merely used as a ‘phone’, it is becoming a mini-PC for
users .We can access internet, send e-mail, play games etc. on mobiles .this applications
creates the need of an OS and hence it requires specifically designed operating system.

4.3 Symbian OS v 8.0

Symbian OS v8.0 is designed to meet the needs of Symbian OS licensees,
network operators and enterprises by driving down Symbian OS phone build cost,
providing upgraded Java and multimedia capabilities, as well as advanced device
management functionality.

13
4.4 Symbian OS v 9 .0
Symbian OS v9 is helping lower Symbian OS licensee development
costs and accelerate time to market for smaller, less expensive and even more capable
Symbian OS smart phones. As a robust, secure, open and standards-based platform,
Symbian OS v9 will support network operators' cost-effective deployment of revenue-
generating services, content and applications.

14
15
 CHAPTER 5
MOBILE VIRUSES: A GROWING THREAT

5.1 The first virus……..Cabir

5.1.1 Aliases
Caribe.sis, EPOC.Cabir (NAV), EPOC_CABIR (Trend),
Symbian.Cabir.gen, Symbian/ Cabir.a, Symbian/ Cabir.b, Symbian/ Cabir.rsc, SymbOS/
Cabir, Worm.Symbian.Cabir (AVP).
5.1.2 Cabir
Although mobile phone virus hoaxes have been around for years, the so-
called Cabir virus is the first verified example. The virus was created by a group from the
Czech Republic and Slovakia called 29a on 16 June 2004, who sent it to a number of
security software companies, including Symantec in the United States and Kapersky Lab
in Russia. Cabir is considered a "proof of concept" virus, because it proves that a virus
can be written for mobile phones, something that was once doubted.
Cabir was developed for mobile phones running the Symbian and Series 60
software, and using Bluetooth. The virus searches within Bluetooth's range (about 30
meters) for mobile phones running in discoverable mode and sends itself, disguised as a
security file, to any vulnerable devices. The virus only becomes active if the recipient
accepts the file and then installs it. Once installed, the virus displays the word "Caribe" on
the device's display. Each time an infected phone is turned on; the virus launches itself
and scans the area for other devices to sends itself. The scanning process is likely to drain
the phone's batteries. Cabir can be thought of as hybrid
Virus/worm: its mode of distribution qualifies it as a network worm but it requires user
interaction like a traditional virus.
16
 5.1.3 Threats
These worms do not pose any significant threat because:
• Bluetooth communication is not usually enabled by default (set to "undiscoverable")
• The range of transmission is rather short which would seriously inhibit propagation
• Standard Bluetooth pairing mechanism applies (so any non-paired devices need PIN for
access)
• Caribe.sis installation file is not signed so the dialog box appears when the worm is sent
Since the invention of Cabir, new versions of this worm called as Cabir.H
and Cabir. I have facilitated easier and quicker spread of this worm. Like the original
Cabir worm dubbed Cabir-A, the new Cabir variants spread between mobile phones using
a specially formatted Symbian operating system distribution (or SIS) file disguised as a
security management utility.

17
When the infected Cabir.H or Cabir.I file is launched, the mobile phone's screen
displays the word "Velasco" and the worm modifies the Symbian operating system so that
Cabir is started each time the phone is turned on.
Infected mobile phones scan for vulnerable phones using the phone's Bluetooth wireless
connection, and then send a file, velasco.sis that contains the worm to those phones.
While the new Cabir variants do not destroy data on the phones they infect, they do block
legitimate Bluetooth wireless connections and rapidly consume the phone's battery.

5.1.4 Arrival and Installation

This proof-of-concept worm spreads through Bluetooth enabled devices.
When it arrives, a series of messages appear. These messages warn the user of the
possible malicious nature of the file before finally being installed: Once installed and
active, it can be viewed from the list of applications: If the user cancels the installation, it
enters the device's inbox:
 18

It arrives as a .SIS file and installs itself in the APPS folder.

(Note: The EPOC operating system uses files with a SIS extension to allow easy
installation of applications.)
It then creates the following files:
• %Systemdrive%:\system\apps\caribe\caribe.app
• %Systemdrive%:\system\apps\caribe\flo.mdl
• %Systemdrive%:\system\apps\caribe\caribe.rsc

It also creates the following files upon installation:

C:\System\Symbiansecuredata\Caribesecuritymanager\Caribe.App
C:\System\Symbiansecuredata\Caribesecuritymanager\Caribe.Rsc
C:\System\Recogs\Flo.Mdl
C:\System\Symbiansecuredata\Caribesecuritymanager\Caribe.Sis
19

5.1.5 Symptoms
Periodic Bluetooth activity (every 15-20 seconds) originates from an infected
mobile device. There is no malicious payload. The worm, however, seriously reduces
battery life. It also monopolizes the phone's Bluetooth subsystem, denying access to
legitimate transfers involving the infected device.
When the worm activates it copies these files into a hidden directory
system\symbiansecuredata\caribesecuritymanager\. Two more files appear on the system:
system\install\caribe.sis (sis installer metafile, 572 bytes) system\recogs\flo.mdl (boot
hook) Worm runs immediately after installation.

5. 2 Duts1520
5.2.1 Alias: WinCE/Duts.1520, WinCE.Dust, Dtus
5.2.2 Size: 1520 bytes
5.2.3 Duts
Duts is a parasitic file infector virus. It is the first known virus for the
PocketPC platform. It is a proof-of-concept virus and will be never become a problem in
the real world.
 Duts is a traditional parasitic virus. It infects other programs in the
PocketPC PDA, and spreads from one PDA to another when people exchange programs.
Duts is hand written in assembly.
20
When an infected file is executed, the virus asks for permission to infect.
When granted the permission, Duts attempts to infect all EXE files in the current
directory. Duts only infects files that are bigger than 4096 bytes. As an infection marker
the virus writes the string 'atar' to the Windows Version field of the EXE header. The
infection routine is fairly simple. The virus body is appended to the file and the last
section is made readable and executable. The entry point of the file is set to the beginning
of the virus code.

5.2.4 Duts Message

Duts contains one message that is displayed. It is a reference to the
science-fiction book Permutation City by Greg Egan, where the virus got its intended
name from:
“This code arose from the dust of Permutation City “
 21
5.3 Bloomsday
This is the first ever computer virus that can infect mobile phones and it has
the potential to render many phones virtually useless. Bloomsday has been developed by
an international group specializing in creating literary viruses that try to "show illiterate
technophiles the power of the written word."
Bloomsday infects the Symbian operating system.
If the virus succeeds in penetrating the phone, it replaces the phone's address book and
stored files with the entire densely symbolic novel.

5.4 Timofonica
This is the first ever virus to hit wireless phone users. VBS/Timofonica
worm is delivered via an e-mail chain letter. The virus-carrying message originates on
desktop systems, and then spreads annoying messages to the phones. VBS/Timofonica
uses Microsoft Outlook to send messages to an e-mail-to-GSM gateway in Spain, which
then sends the messages randomly to the phones. The outgoing message from Outlook
has the word "TIMOFONICA" in the subject line and has as an attachment a file named
timofonica.txt.vbs. The text of the message is in Spanish and is critical of the Spanish
telecom operator Telefonica, urging users to open the attachment for more information.
 22
5.5 Lasco
This malware affects mobile phones that use the Symbian operating system
with the Series 60 Platform user interface. It usually arrives as an installation file named
VELASCO.SIS and can be downloaded from a Web page or received via Bluetooth. An
infected mobile phone continuously searches for other Bluetooth-enabled devices and
attempts to send a message with the file VELASCO.SIS.
When it arrives, a series of messages appear. These messages warn the user of
the possible malicious nature of the file before finally being installed.Upon installation;
this worm drops several files and folders in the C: folder of the mobile
Phone. These files and folders are specially crafted, such that they execute in lieu of the
original system files and third-party applications used by the mobile phone located in the
ROM of the phone.
It also creates a copy of MARCOS.MDL in %System rive%\system\RECOGS\.
This file is responsible for starting the VELASCO.APP application when the mobile
phone is turned on.
Once installed and active, it can be viewed from the list of applications:
It drops the following application and information data:
1• %System drive%\system\apps\velasco\marcos.mdl
2• %System drive%\system\apps\velasco\velasco.app
3• %System drive%\system\apps\velasco\velasco.rsc
(Note: %System drive% is the default system drive, which is usually drive C.
23

It also drops the following copies of its .SIS installer file:

• C:\system\SYMBIANSECUREDATA\VELASCO\ velasco.app
• C:\system\SYMBIANSECUREDATA\VELASCO\ velasco.rsc
• C:\system\SYMBIANSECUREDATA\VELASCO \velasco.sis
5.6 Skulls
This Trojan may affect mobile devices running the Symbian operating system
with the Series 60 Platform user interface. However, it particularly targets Nokia 7610
models as it is disguised as a theme manager for the said phone model.
It disables the applications of infected phones and changes the icon of each
application into a skull image. It usually arrives as an installation package with the file
name extendedtheme.sis.
 Once the file extendedtheme.sis is installed, it extracts several .APP and .AIF
files on the drive C of the phone, which causes most of the phone applications/features to
malfunction. These .APP files are application files containing file names of legitimate
phone applications usually located in the ROM drive. The .AIF files contain icons with
the familiar skull and crossbones image.

24
5.7 Mosquitos Trojan
An illegally adapted or ‘cracked’ game called Mosquitos is available on the
internet. This cracked game in reality is a Trojan horse, which affects phones using Series
60 User Interface platform. The Mosquito Trojan is malicious because it fires off text
messages without the user's consent while the unlicensed game is being played.
1• The only way a phone can be affected by this problem is by deliberate installation of
an illegal copy of the Mosquitos game by the user
2• Installation of the game requires the user to ignore an explicit warning that the identity
of the application developer is unknown
1• When the user starts the game, the following information is displayed on the screen,
making it clear to the user that the game is an illegal, pirated

5.8 Commwarrior
Commwarrior found on 9 March 2005. A new virus capable of attacking cell
phones has emerged, and experts have warned that this type of virus could become more
prevalent over time. This virus is the first virus that is capable of spreading using simple
multimedia messages as well as Bluetooth. Past viruses that targeted mobile phones
spread through Bluetooth enabled devices, so their potential to spread was not very high.
"It's the first case of this nature" Ero Carrera, an anti-virus researcher at F-
Secure, said in an interview “It would be equivalent to e-mail in computers. If it were to
start going around, it actually has the potential of becoming really widespread." It could
affect cell phones that run on Symbian Series 60 operating software. It sends messages to
other mobile phone numbers and email addresses found in the users contact list.

25
 The virus tempts recipients to download attachments that have messages like
Happy Birthday. The biggest problem for someone with an infected phone is that they are
charged for the messages the virus sends and also their battery is drained quickly.

5.9 Phage
Aliases: PalmOS/Phage.963, Palm Virus, Palm.Phage.Dropper, Phage 1.0
Length: 1,325 bytes
This is the first virus designed for PalmOS and was discovered in
September 2000. When an infected application is run, the screen is filled in dark gray box
and then the program terminates. This virus will infect all third party applications on the
PDA device. This virus overwrites the first section in the host .PRC file. In testing, when
a new program is copied to the Palm system via IR transfer, this program will execute
normally. If another application, which is already infected, is run, the newly transferred
file will then become infected.

5.10 Vapor

The Trojan PalmOS/Vapor.741 (alias Vapor 666) is a PalmOS virus. When

this Trojan is first run, all third party application icons will disappear as if deleted. The
files still exist; however, their icon is now missing from the available applications icons.
1
5.11Future possibilities
In the future, there could be viruses embedded in ringtones, picture messages,
multimedia messages, address book contacts and the list goes on. As the capabilities of
wireless devices increase and supersede those of desktop PC’s, the scope of viruses
multiplies exponentially.

26
 CHAPTER 6
INTENTIONS OF VIRUS WRITERS

What could be the intentions of possible hackers of mobile phones? Well, they
might use them for financial gains, for spying related activities, to choke a network on
behalf of a competitor, to steal your personal information or for sheer programming
pleasure. Mobile networks are not monitored for viruses like Internet servers are. This
makes mobiles easy prey for virus writers.
These phones being directly attached with billing or credit systems make them
an appealing target for the virus writers. This might bring unexpected consequences for
unsuspecting users. Just imagine your mobile being infected by a virus that allows a
hacker to make international calls at your cost. Calls may also be made to phone services
that charge for every call they receive.
Spam, which is already responsible for some 80% email traffic on the Internet,
could be another reason for hackers to attack your phone to use your identity and address
list to spread their message. Worldwide mobile network has already become larger then
Internet itself, which is tempting enough for hackers to intervene using technologies such
as email, SMS or MMS.
Increasing inter-connectivity among computers, handheld devices and mobile
phones is making way for large, intelligent, multi-faceted networks. In such a scenario, a
virus writer can find an entry-hole in one device or the other.

27
 CHAPTER 7
DEPLOYING YOUR DEFENCE: ANTI-VIRUSES

7.1 Current Infrastructure

So, are we moving to days when we will need an anti-virus software for
our mobile phones and other handhelds? Yes, is the answer from companies like
Symantec (known for its Norton Anti-virus Suite), McAfee and Kaspersky Labs, F-secure
etc. Any effective Anti-virus strategy, though, has to involve four different components;
the device itself, the mobile network, the Internet and personal computers of users
connected with mobile users via email, SMS or instant messaging. Security companies
have sensed the market potential in this field.
McAfee (formerly Network Associates) is already selling its Virus Scan
Wireless product for handhelds based on the Palm, Epoc and WinCE operating systems
and has announced the joint development of a key technological element for a compact
anti-virus engine with Japanese mobile operator NTT DoCoMo. Swiss Internet service
provider Telephoenix, New Zealand based SimWorks and Helsinki (Finland) based firm
F-Secure are also working on mobile phone anti-virus technologies.
Many security experts believe that phone bugs will eventually become as
big a nuisance as Windows viruses. Richard Hales, UK manager for F-Secure, said that
although many mobile operators had software in their networks to stop viruses
propagating, more protection was needed to stop the bugs jumping from phone to phone.
Anti-virus software for phones was also important, he said, because the
software in phones, unlike PCs, is hard to update. On a PC a loophole can be closed by
installing a patch to the operating system. This is far harder on a handset. Handsets were
increasingly becoming stores of personal data that people are loathed to lose, said Mr.
Hales. Protecting this important data was going to become key as the numbers of mobile
viruses climb.
Some security firms already produce programs that help to protect handsets.
For instance, in March this year security giant Symantec released a free download of anti-
virus software for Nokia phones running the Symbian operating system. However, F-
Secure is thought to be the first to sell such a program to the mass market. The software is
designed for Nokia's Symbian-using Smartphones.
28
Once installed the software keeps an eye on what is done with the phone and scans
downloaded files and extras such as memory cards to ensure viruses do not sneak
through.

Nokia has entered a pact with Symantec to help secure its mobile phones from
viruses that target certain kinds of handsets. Under the agreement, Nokia plans to arm its
Series 60 smart phones with the Symantec Mobile Security antivirus program. The
software is designed to ward off attacks that could compromise the extensive data, such
as contact databases that people store on their smart phones.
Thus current infrastructure does not provide full-tier protection leaving the
devices with open vectors of delivery.

7.2 Problems in Making Antivirus

The inherent difficulty with creating anti-virus solutions for personal digital
assistants and others is resource limitations. Obviously, the current megabyte signature
files cannot simply be placed on a digital assistant with limited storage space.

29
7.3 How to protect your phone?
So far, the only known viruses spread from one device to another via
Bluetooth. You can protect your phone against this through some basic Bluetooth security
settings:

• protect Bluetooth connection with a password

• activate invisible / hidden Bluetooth mode
• allow Bluetooth connection only with devices accepted by the user
• do not allow automatic acceptance of unknown devices
The most efficient kind of further protection is simple caution and
vigilance, since all viruses so far require the user's consent - you have to install them on
your own.
Therefore it is very important…
• not to install or run files from unknown sources (even though it might seem like
you know the file - the source is always very important, e.g. where you got the file
from)
You should think about installing an antivirus program for your
mobile device. Various versions are available for different operating systems and
individual mobile phones; To make sure that your antivirus program operates properly,
you need to update the virus database (or virus library) regularly, so the antivirus program
can identify any virus efficiently and block, or delete, it in time.

30
 CHAPTER 8
PRECAUTION BETTER THAN CURE

With only a handful of examples of malicious code yet discovered, and few
reports of infections outside of the antivirus lab, the threat of infection from mobile phone
viruses is still very low compared with traditional computer viruses, however we can not
afford turning a blind eye to these threats and must start research in this area immediately.

Conclusion
Viruses inevitably infect every platform. This natural law mandates that it
is only a matter of time before all mobile platforms are vulnerable. In fact, PDAs and
handsets have already been victimized by viral software infection. In addition, future
infections are likely to be far worse. Because of the nature of wireless networks, airborne
viruses of the future might spread with overwhelming speed.
Securing the wireless world from viruses is a multi-layered effort.
Corporations must secure their networks with solutions that include provisions for
catching wireless threats as they pass through the Internet gateway, email servers, and
desktops. Service providers and others should plan now to implement antivirus solutions
to secure the traffic they manage for their customers.

31
 BIBLOGRAPHY

1
References
0
1 1) Documentation from Symantec, Trend Micro and F-Secure.
2 2) Digit-April 2005
3 3) “Malicious Threats to Personal Digital Assistants” by Eric Chien, Symantec
Ltd.
4) www.msbn.com
0 5) www.symbian.com
6) www.softpedia.com
7) www.infoworld.com
8) www.bluefire.com
9) www.bluetooth.com
10) BBC News
10) Times of India

32
 GLOSSARY

A
Application based threats 4
Applications of Bluetooth in Mobiles 12
Aliases 16, 20, 26
Anti-Viruses 28, 29

B
Boot Sector Viruses 6
Bluetooth 11, 12
Bloomsday 22

C
Content Based Threats 4
CDMA 5
Cabir, Cabir.h, Cabir.a, Cabir.rsc, Cabir.sis, Caribe 16-20
Commwarrior 25

D
Duts 1520, Duts, Dtus 20, 21
Duts Message 21
Dropper 26

E
EPOC, EPOC32 3,16,19,28
Elk Cloner 5
E-mail Viruses 7
Ericsson 11
 33

F
File Viruses 6
Flo.mdl 19
F-Secure 25, 28, 29

G
GSM 10
GPRS 10
Greg Egan 21

I
Infrared 12
Installation 18

K
Kapersky Lab 16, 28

L
Lasco 23

M
Mixed Threats 4
Multipartite Viruses 6
Mobile 8-13, 16-27
Mosquitos Trojan 25
McAfee 28

N
Network Viruses 6
Nokia 24, 28, 29
 34

O
OS 13, 14, 15

P
Palm OS 2
Parasitic Viruses 6
Phage 26

S
Symbian OS 3, 13-16
Symantec 28, 29
Skulls 24

T
Trojan horse 7, 25, 26
Timofonica 22

V
Viruses 5-7, 16-27
Vapor 26
Velasco 23, 24

W
Worms 7
Wireless 11, 12
35