Thursday, December 29, 2005

Some time ago I published a two part article (part one, two) in the Security Focus on the subject of Bluetooth security. As part of the article I discussed worms that were appearing on mobile phones at that time. I am still active in researching the Bluetooth security, but my current attention is more on Symbian OS related aspects, rather than communication medium such as Bluetooth. As part of my research I’ve been analysing various worms that appeared on mobile phones. As part of my analysis I tried to capture some mobile viruses in the wild. Over the period of one month the following mobile malware files were sent to my Bluetooth discoverable device:

0skhpg_o.sis, 1x2iz6bcy.sis, 44wp7kjbxp.sis, e9e7p7gr9v.sis, ohvrl0xy.sis, p39ej_em.sis, w_pp2ercgk.sis, xgjgxj7bu.sis, xix4w39.sis, y9wwx06.sis, yoejh0v0.sis.

This is total 11 files, which I consider as quite a big number. I observed that the perfect place to catch a mobile worm was to stand near the photo printing machines that can print photos from mobile phones. The can be transferred via memory card but also can be sent via Bluetooth. The most mobile worm infested locations seem to be photo kiosks a Plaza Semangi and Kelapa Gading mal. More than half of these worms were received within 10 m proximity form these places and it seems in both cases the infected mobile phones were owned by employees working at the place.

The most common worm was CommWarrior.B (7 files) followed by its earlier version CommWarrior.A (4 files). It’s easy to difference those two as the old version of CommWarrior sends SIS files 30582 bytes in size, while the newer version CommWarrior.B sends SIS files 27162 bytes in size. I haven’t noticed any other mobile worms around. Both worms CommWarrior.A and CommWarrior.B replicate over MMS and Bluetooth, but due to the incompatibilities in MMS systems, it seems that Bluetooth is the most effective way of replication for these worms. This makes it very interesting, as the proximity of Bluetooth on mobile phones is approximately 10 meters. Thus, to get your phone infected you need to be holding your phone within 10 meters distance of infected mobile phone. That sounds pretty much like a human virus, it’s just that instead of sneezing and coughing, mobile viruses prefer to use Bluetooth! The CommWarrior worm originated from Russia, thus it very interesting to see it appear in Indonesia. Base on that fact we could assume that if some new flu virus appears in Russia, we can expect it to arrive to Indonesia soon or later. If poorly written mobile viruses can travel from Russia to Indonesia a real human virus have even greater chance of travelling that far distance.

I still remember a very funny situation related to that. When I went to a doctor after catching flu, I was seating at the hospital and waiting for my turn. It was quite late and pretty empty and I just noticed some guy seating behind me and playing soccer on his mobile phone. After a while a file was beamed to my hand phone via Bluetooth. After a quick check found out that it was CommWarrior.B. So while sitting at hospital you can catch not only flu or other virus, but also a mobile virus :-) I just hope this guy sitting behind me got flu from me in exchange :-)

One aspect is also interesting to notice. The CommWarrior worms in order to infect a hand phone depending on the model require from 3 up to 5 confirmations from mobile phone user. Thus, it looks the process of infection via Bluetooth looks most of the time like that:

  1. A file is being beamed to a mobile phone from infected mobile phone within Bluetooth range.
  2. User is asked to accept the file transfer (YES / NO) - mostly Nokia phones, on majority of other phones such as all Sony Ericsson models, the file transfer is being automatically accepted.
  3. User is being asked to open the transferred file – (YES / NO).
  4. User is asked if application should be installed – (YES / NO).
  5. Optional: User is being informed about lack of vendor signature on the file and asked if still install. – (YES / NO).
  6. Mobile becomes infected and starts to spread.

Note: During this process no activity is visible to owner of infected mobile phone, except of a change in Bluetooth icon on some phones to transfer mode.

Einstein said “Two things are infinite: the universe and human stupidity; and I’m not sure about the universe”. This quotation helps to imagine how knowledgeable are people who got their mobile phones infected with CommWarrior. First, in order to get your mobile phone infected, you need to have your Bluetooth enabled and discoverable mode – basic rule of mobile security says to disable Bluetooth or set it to non-discoverable mode. Second, you need to accept the Bluetooth beam transfer of a strange looking file – another basic rule says you should not accept any unexpected file transfers. Third you need to click YES three or four times in order to install the worm, while seeing number of warning that it might not be good idea to click YES. Thus, I really think there is clearly something wrong with these people. I think the answer could be that warning messages on hand phones are often displayed in English language, thus some users in Indonesia may not understand the warnings and simply click YES. Some have seen that on job interviews – people just answer YES to every question, like Q: “Where do you live?” A: “Yes!” :-)

Anyway, thanks to their ignorance their phone will drain battery 30-50% faster, they may receive high bills for MMS sent via worm plus their phone will be quite unstable and require often restart. They can just feel lucky that worm didn’t do something else, such as send message “I placed a bomb at the police station!” to every user in the mobile phone book :-)

At the end of this post I give you one good and one bad news. The good news is that as we can see the mobile viruses are pretty much primitive and require number of confirmations from the user before being able to infect the phone. This dramatically reduces infection rate – only few poor people who like to click YES will get infected. Plus, the worms are also not very destructive. The bad news is that these are just one of the first mobile worms that appeared in the wild and unfortunately more advanced and destructive worms may appear in near future. The methods of infections may also be very sophisticated and may even not require a single confirmation from a user.

To get more information on CommWarrior and removal instruction, refer to the following sites:

F-Secure-CommWarriorA

F-Secure-CommWarriorB

Symantec-CommWarriorA

Symantec-CommWarriorB

If you are sadomasochist and would like to infect your phone with a mobile virus, you can download CommWarrior worm files from here: CommWarriorA, CommWarriorB. I’ve bravely captured these in Jakarta. Download and use at your own risk!

1 comment:

Anonymous said...

Hahaha it's so funny. I am at Plaza Semangi and read your article. Guess what, I just received some file 8051dsna.sis via Bluetooth :-) Thanks for warning! - MK

web statistics