Professional Documents
Culture Documents
Mobile Viruses
Mobile Viruses
Mobile Viruses
ON
“MOBILE VIRUSES”
Submitted by
Guided by
Prof.Mrs.R.V.Pawar
VIT, Pune
2006-2007
CERTIFICATE
“MOBILE VIRUSES”
H.O.D Guide
2006-2007
ACKNOWLEDGEMENT
towards those whose help; guidance and critism led my seminar to utter
success.
As the title suggest this seminar deals mainly with the viruses that have affected mobile
phones, so far. The seminar gives an introduction to:
1) Cabir
2) Phage
3) Skulls
4 Mosquitos etc.
It also mentions the cell phones, which are prone to these viruses, and companies
that have already started creating antivirus softwares to overcome them.
Seminar aims at creating awareness among huge users, to be cautious while using
mobiles and to use anti-virus for the same. And also the need of more effective and
efficient anti-viruses.
CONTENT
1 Introduction............................................................ 1
2.3.2 Worms.........................................................7
5.1.2 Cabir.........................................................16
5.1.3 Threats......................................................17
5.1.5 Symptoms.................................................20
5.2 Duts1520.........................................................20
5.2.1 Aliases.......................................................20
5.2.2 Size...........................................................20
5.2.3 Duts...........................................................20
5.3 Bloomsday.......................................................22
5.4 Timofonica........................................................22
5.5 Lasco................................................................23
5.6 Skulls...............................................................24
5.8 Commwarrior...................................................25
5.9 Phage...............................................................26
5.10 Vapor...............................................................26
9 Bibliography........................................................32
10 Glossary................................................................33
LISTS
Abbreviations:
PDA Personal Digital Assistant
ROM Read Only Memory
RAM Random Access Memory
OS Operating System
CPU Central Processing Unit
PE Portable Executable
CF Compact Flash
API Application Program Interface
PCS Personal Communication System
MTSO Mobile Telecommunications Switching Office
GPS Global Positioning System
CDMA Code Division Multiple Access
GSM Global System for Mobile Communication
GPRS General Packet Radio Service
MMS Multimedia Messaging Service
SMS Short Messaging Service
IR Infrared Service
MSC Mobile Switching Service
CHAPTERS
1) Introduction..............................................................................1
3) Mobile Technology..................................................................8
4) Symbian OS.............................................................................13
9) Bibliography............................................................................32
10) Glossary.................................................................................33
CHAPTER 1
INTRODUCTION
Until a few months ago, we were using mobile phones with closed operating
systems having a little number of passive, pre-built functionalities. They were limited-
ability devices, like our television sets, and did just what they were programmed for.
They lacked an environment to support executables, and therefore, restricted entry to
viruses as well as third-party functionality-enhancement programs. Things have changed
now. Java and .net enabled handsets running on smart, powerful operating systems such
as Windows Mobile and Symbian are getting popular among functionalities-savvy users.
The Windows environment is traditionally known for attracting virus writers
and latest programming languages from Microsoft and Sun Microsystems have made it
possible for users to run outside executables on their phones, to enhance their features.
Nokia, handsets of which were targeted by Cabir, the proof-of-concept virus, is among
the early adopters of Java technology. Motorola has also demonstrated mobile phones
fully enabled with Java programming language. Not to be left behind, Microsoft has also
started shipping its Smartphones offering convenient Windows like environment on
mobile devices that allows users to surf the Internet, use email and instant messaging as
well as listen to music. The IT giant has also partnered with HP to create the HP iPAQ
h6315, the first Windows Mobile-based Pocket PC Phone Edition device with integrated
WiFi capabilities.
Surly, these are great gadgets that will revolutionize our mobile devices from
being mere communication tools to super-charged, multi-utility, intelligent little
workhorses having awesome computing power. But they have opened a world of
possibilities for destructive minded, as proved by the hacking group 29A by creating a
proof of concept WindowsCE.Duts virus. Ellen O’Gormon at Microsoft Mobile Security
believes that even though the threat of viruses is real, they will be able to tackle it. He
says, “Windows Mobile-based devices offer, through a combination of built-in
functionality and third-party software and peripherals, security options similar to laptop
PCs that include support for strong passwords, authentication and encryption. In addition,
Windows Mobile-based devices also can take advantage of security technology inherent
in other Microsoft products.”
1
Although, this has many long lasting benefits the dark side has now surfaced.
Many of these handheld devices are potentially susceptible to some form of malicious
code that could render them non-functional. This claim will be supported by the following
seminar, which looks into history of viruses and their effects on cell phones.
Although malicious code has yet to cause serious damage or incur substantial
costs in the wireless arena, such code seen in the lab and in some real cases
Has indicated that this undesirable code has the potential for serious disruption to the
wireless infrastructure.
The early handheld viruses spread slowly, since most PDAs were not wireless-
enabled. However, with the growing prevalence of handheld wireless functionality, the
threat grows as well. In fact, the modern Windows Mobile device has most of the
ingredients for viral spread, such as a processor, RAM, writable memory, Pocket
Microsoft Word, and even a Pocket Outlook mail client. Worse, unlike their desktop
counterparts, security measures such as firewalls and virus scanners for handhelds are not
widely used. Combine all this with an unsecured wireless link, and the potential for viral
spread multiplies. The future may be even worse. With distributed programming
platforms such as .NET, combined with Microsoft's Windows Mobile platforms, such as
Pocket PC and Smart phone, the potential for viruses is even greater.
2
1.1.2 EPOC32/Symbian OS:
EPOC runs on 32-bit CPU. Applications are generally developed
under Windows initially in PE (portable executable) format using the EPOC emulator,
recompiled for the ARM architecture and then transferred to the EPOC device. For
storage, Psion devices comprise ROM, RAM and optional CF (Compact Flash) cards.
The ROM contains the operating system as well as all the built-in applications and
middleware. Files located on the Psion ROM are executed in place. The RAM contains
the additional applications stored by the user, active programs, and the active copy of the
system kernel. Hardware resources such as the system RAM are isolated from
applications via a privilege boundary. Running under privileged mode, the kernel controls
all of the device’s hardware resources. All other user-mode applications that need access
to hardware resources must access them via the kernel.
Four of the six basic virus types so far have been written for the
Symbian operating system and two for Microsoft-powered devices. There are about 20
million phones with the Symbian system in operation now, versus the total 1.7 billion
mobile phone users last year.
Symbian was more targeted than others because it was emerging as a leader
in operating systems for advanced phones able to surf the Internet and make wireless
connections with other phones via Bluetooth. Virus writers always target the biggest
system.
5
2.2.1 File Viruses (Parasitic Viruses)
File viruses are pieces of code that attach themselves to executable
Files, driver files or compressed files and are activated when the host program is run.
After activation, the virus may spread itself by attaching itself to other program in te
system, and also carry out the malevolent activity it was programmed for. Most file
viruses spread by loading themselves in system memory and looking for any other by
loading themselves in system memory and looking for any other programs located on the
drive if it finds one, it modifies the program so that it contains and activates the virus next
times it runs .it keeps doing this repeatedly.
Besides spreading themselves, these viruses also carry some type
of ‘trigger’. The trigger could be a specific date, or the number of times the viruses has
been replicated, or anything equally trivial.
The GSM network can be divided into three broad parts. The
subscriber carries the Mobile Station. The Base Station Subsystem controls the radio link
with the Mobile Station. The Network Subsystem, the main part of which is the Mobile
services Switching Center (MSC), performs the switching of calls between the mobile
users, and between mobile and fixed network users. The MSC also handles the mobility
management operations. Not shown is the Operations and Maintenance Center, which
oversees the proper operation and setup of the network
The use of devices that convey data via infrared radiation; employed in certain
limited-range communications and control systems. But nowadays infrared is not used
much because of its line of sight requirement and slow speed.
12
CHAPTER 4
SYMBIAN OPERATING SYSTEM
The Symbian OS led the global smart phone market with a 62.8 percent share
at of the end of the second quarter, followed by Microsoft at 15.9 percent and Palm
Source with 9.5 percent, according to industry researcher Canalys.com.
13
4.4 Symbian OS v 9 .0
Symbian OS v9 is helping lower Symbian OS licensee development
costs and accelerate time to market for smaller, less expensive and even more capable
Symbian OS smart phones. As a robust, secure, open and standards-based platform,
Symbian OS v9 will support network operators' cost-effective deployment of revenue-
generating services, content and applications.
14
15
CHAPTER 5
MOBILE VIRUSES: A GROWING THREAT
17
When the infected Cabir.H or Cabir.I file is launched, the mobile phone's screen
displays the word "Velasco" and the worm modifies the Symbian operating system so that
Cabir is started each time the phone is turned on.
Infected mobile phones scan for vulnerable phones using the phone's Bluetooth wireless
connection, and then send a file, velasco.sis that contains the worm to those phones.
While the new Cabir variants do not destroy data on the phones they infect, they do block
legitimate Bluetooth wireless connections and rapidly consume the phone's battery.
5.1.5 Symptoms
Periodic Bluetooth activity (every 15-20 seconds) originates from an infected
mobile device. There is no malicious payload. The worm, however, seriously reduces
battery life. It also monopolizes the phone's Bluetooth subsystem, denying access to
legitimate transfers involving the infected device.
When the worm activates it copies these files into a hidden directory
system\symbiansecuredata\caribesecuritymanager\. Two more files appear on the system:
system\install\caribe.sis (sis installer metafile, 572 bytes) system\recogs\flo.mdl (boot
hook) Worm runs immediately after installation.
5. 2 Duts1520
5.2.1 Alias: WinCE/Duts.1520, WinCE.Dust, Dtus
5.2.2 Size: 1520 bytes
5.2.3 Duts
Duts is a parasitic file infector virus. It is the first known virus for the
PocketPC platform. It is a proof-of-concept virus and will be never become a problem in
the real world.
Duts is a traditional parasitic virus. It infects other programs in the
PocketPC PDA, and spreads from one PDA to another when people exchange programs.
Duts is hand written in assembly.
20
When an infected file is executed, the virus asks for permission to infect.
When granted the permission, Duts attempts to infect all EXE files in the current
directory. Duts only infects files that are bigger than 4096 bytes. As an infection marker
the virus writes the string 'atar' to the Windows Version field of the EXE header. The
infection routine is fairly simple. The virus body is appended to the file and the last
section is made readable and executable. The entry point of the file is set to the beginning
of the virus code.
5.4 Timofonica
This is the first ever virus to hit wireless phone users. VBS/Timofonica
worm is delivered via an e-mail chain letter. The virus-carrying message originates on
desktop systems, and then spreads annoying messages to the phones. VBS/Timofonica
uses Microsoft Outlook to send messages to an e-mail-to-GSM gateway in Spain, which
then sends the messages randomly to the phones. The outgoing message from Outlook
has the word "TIMOFONICA" in the subject line and has as an attachment a file named
timofonica.txt.vbs. The text of the message is in Spanish and is critical of the Spanish
telecom operator Telefonica, urging users to open the attachment for more information.
22
5.5 Lasco
This malware affects mobile phones that use the Symbian operating system
with the Series 60 Platform user interface. It usually arrives as an installation file named
VELASCO.SIS and can be downloaded from a Web page or received via Bluetooth. An
infected mobile phone continuously searches for other Bluetooth-enabled devices and
attempts to send a message with the file VELASCO.SIS.
When it arrives, a series of messages appear. These messages warn the user of
the possible malicious nature of the file before finally being installed.Upon installation;
this worm drops several files and folders in the C: folder of the mobile
Phone. These files and folders are specially crafted, such that they execute in lieu of the
original system files and third-party applications used by the mobile phone located in the
ROM of the phone.
It also creates a copy of MARCOS.MDL in %System rive%\system\RECOGS\.
This file is responsible for starting the VELASCO.APP application when the mobile
phone is turned on.
Once installed and active, it can be viewed from the list of applications:
It drops the following application and information data:
1• %System drive%\system\apps\velasco\marcos.mdl
2• %System drive%\system\apps\velasco\velasco.app
3• %System drive%\system\apps\velasco\velasco.rsc
(Note: %System drive% is the default system drive, which is usually drive C.
23
24
5.7 Mosquitos Trojan
An illegally adapted or ‘cracked’ game called Mosquitos is available on the
internet. This cracked game in reality is a Trojan horse, which affects phones using Series
60 User Interface platform. The Mosquito Trojan is malicious because it fires off text
messages without the user's consent while the unlicensed game is being played.
1• The only way a phone can be affected by this problem is by deliberate installation of
an illegal copy of the Mosquitos game by the user
2• Installation of the game requires the user to ignore an explicit warning that the identity
of the application developer is unknown
1• When the user starts the game, the following information is displayed on the screen,
making it clear to the user that the game is an illegal, pirated
5.8 Commwarrior
Commwarrior found on 9 March 2005. A new virus capable of attacking cell
phones has emerged, and experts have warned that this type of virus could become more
prevalent over time. This virus is the first virus that is capable of spreading using simple
multimedia messages as well as Bluetooth. Past viruses that targeted mobile phones
spread through Bluetooth enabled devices, so their potential to spread was not very high.
"It's the first case of this nature" Ero Carrera, an anti-virus researcher at F-
Secure, said in an interview “It would be equivalent to e-mail in computers. If it were to
start going around, it actually has the potential of becoming really widespread." It could
affect cell phones that run on Symbian Series 60 operating software. It sends messages to
other mobile phone numbers and email addresses found in the users contact list.
25
The virus tempts recipients to download attachments that have messages like
Happy Birthday. The biggest problem for someone with an infected phone is that they are
charged for the messages the virus sends and also their battery is drained quickly.
5.9 Phage
Aliases: PalmOS/Phage.963, Palm Virus, Palm.Phage.Dropper, Phage 1.0
Length: 1,325 bytes
This is the first virus designed for PalmOS and was discovered in
September 2000. When an infected application is run, the screen is filled in dark gray box
and then the program terminates. This virus will infect all third party applications on the
PDA device. This virus overwrites the first section in the host .PRC file. In testing, when
a new program is copied to the Palm system via IR transfer, this program will execute
normally. If another application, which is already infected, is run, the newly transferred
file will then become infected.
5.10 Vapor
26
CHAPTER 6
INTENTIONS OF VIRUS WRITERS
What could be the intentions of possible hackers of mobile phones? Well, they
might use them for financial gains, for spying related activities, to choke a network on
behalf of a competitor, to steal your personal information or for sheer programming
pleasure. Mobile networks are not monitored for viruses like Internet servers are. This
makes mobiles easy prey for virus writers.
These phones being directly attached with billing or credit systems make them
an appealing target for the virus writers. This might bring unexpected consequences for
unsuspecting users. Just imagine your mobile being infected by a virus that allows a
hacker to make international calls at your cost. Calls may also be made to phone services
that charge for every call they receive.
Spam, which is already responsible for some 80% email traffic on the Internet,
could be another reason for hackers to attack your phone to use your identity and address
list to spread their message. Worldwide mobile network has already become larger then
Internet itself, which is tempting enough for hackers to intervene using technologies such
as email, SMS or MMS.
Increasing inter-connectivity among computers, handheld devices and mobile
phones is making way for large, intelligent, multi-faceted networks. In such a scenario, a
virus writer can find an entry-hole in one device or the other.
27
CHAPTER 7
DEPLOYING YOUR DEFENCE: ANTI-VIRUSES
Nokia has entered a pact with Symantec to help secure its mobile phones from
viruses that target certain kinds of handsets. Under the agreement, Nokia plans to arm its
Series 60 smart phones with the Symantec Mobile Security antivirus program. The
software is designed to ward off attacks that could compromise the extensive data, such
as contact databases that people store on their smart phones.
Thus current infrastructure does not provide full-tier protection leaving the
devices with open vectors of delivery.
29
7.3 How to protect your phone?
So far, the only known viruses spread from one device to another via
Bluetooth. You can protect your phone against this through some basic Bluetooth security
settings:
30
CHAPTER 8
PRECAUTION BETTER THAN CURE
With only a handful of examples of malicious code yet discovered, and few
reports of infections outside of the antivirus lab, the threat of infection from mobile phone
viruses is still very low compared with traditional computer viruses, however we can not
afford turning a blind eye to these threats and must start research in this area immediately.
Conclusion
Viruses inevitably infect every platform. This natural law mandates that it
is only a matter of time before all mobile platforms are vulnerable. In fact, PDAs and
handsets have already been victimized by viral software infection. In addition, future
infections are likely to be far worse. Because of the nature of wireless networks, airborne
viruses of the future might spread with overwhelming speed.
Securing the wireless world from viruses is a multi-layered effort.
Corporations must secure their networks with solutions that include provisions for
catching wireless threats as they pass through the Internet gateway, email servers, and
desktops. Service providers and others should plan now to implement antivirus solutions
to secure the traffic they manage for their customers.
31
BIBLOGRAPHY
1
References
0
1 1) Documentation from Symantec, Trend Micro and F-Secure.
2 2) Digit-April 2005
3 3) “Malicious Threats to Personal Digital Assistants” by Eric Chien, Symantec
Ltd.
4) www.msbn.com
0 5) www.symbian.com
6) www.softpedia.com
7) www.infoworld.com
8) www.bluefire.com
9) www.bluetooth.com
10) BBC News
10) Times of India
32
GLOSSARY
A
Application based threats 4
Applications of Bluetooth in Mobiles 12
Aliases 16, 20, 26
Anti-Viruses 28, 29
B
Boot Sector Viruses 6
Bluetooth 11, 12
Bloomsday 22
C
Content Based Threats 4
CDMA 5
Cabir, Cabir.h, Cabir.a, Cabir.rsc, Cabir.sis, Caribe 16-20
Commwarrior 25
D
Duts 1520, Duts, Dtus 20, 21
Duts Message 21
Dropper 26
E
EPOC, EPOC32 3,16,19,28
Elk Cloner 5
E-mail Viruses 7
Ericsson 11
33
F
File Viruses 6
Flo.mdl 19
F-Secure 25, 28, 29
G
GSM 10
GPRS 10
Greg Egan 21
I
Infrared 12
Installation 18
K
Kapersky Lab 16, 28
L
Lasco 23
M
Mixed Threats 4
Multipartite Viruses 6
Mobile 8-13, 16-27
Mosquitos Trojan 25
McAfee 28
N
Network Viruses 6
Nokia 24, 28, 29
34
O
OS 13, 14, 15
P
Palm OS 2
Parasitic Viruses 6
Phage 26
S
Symbian OS 3, 13-16
Symantec 28, 29
Skulls 24
T
Trojan horse 7, 25, 26
Timofonica 22
V
Viruses 5-7, 16-27
Vapor 26
Velasco 23, 24
W
Worms 7
Wireless 11, 12
35