Summer Brings Mosquito-Borne Malware (Part 1 of 3)
Date: Jul 23, 2004
Wireless and embedded viruses, along with other malware, have already appeared in the wild on handheld platforms. In this three-part series, we investigate "airborne" viruses and other wireless or embedded malware, including short message service (SMS) attacks and Trojan horses. Part 1 of this article catalogs mobile malware known to date. Part 2 dissects the most recently known finding in the wild—a Symbian worm that spreads via Bluetooth. In part 3, we conclude by introducing and analyzing a brand-new bug. To our knowledge, this is the first Trojan in the wild written specifically to infect cellular phones. Remember, you heard it here first.
Phage
Phage was the first PDA virus and was discovered on the PalmOS in September 2000. When the virus is executed, infected PDA files display a gray box that covers the screen, whereupon the application terminates. In addition, the virus infects all other applications on the device.
When a "carrier" device is synchronized with a clean PDA, the clean PDA receives the Phage virus in any infected file. This virus will in turn copy itself to all other applications on the clean device.
Liberty Crack
This virus acts as a Trojan horse because it comes in a disguise (although it doesn't open a back door). Liberty is a program that allows you to run Nintendo Game Boy games on the Palm OS. Liberty is shareware, but like all useful shareware it has a corresponding crack that converts it to the full registered version.
The authors of Liberty decided to pay back the pirates by releasing a "counter-crack" for Liberty that was actually a virus. The developers distributed it on IRC. Unfortunately for the pirate, when executed, the Liberty crack virus deletes all applications from the PDA.
This virus can spread both through the desktop and through wireless email. In fact, it may be the first known PDA virus to spread wirelessly in the wild.
Vapor
The Vapor virus does just what it sounds like it should: When infected with Vapor, all the files on the PDA "disappear." When the infected file is executed, all application icons vanish as if deleted. This is a trick, because the files still exist. The virus simply removes their icons from the display, similar to setting all file attributes to "hidden."
911 Virus
Older handsets were relatively immune from airborne viruses because they lacked functionality. However, Internet-enabled smartphones are facile hosts for infection and attack. For example, the 911 virus flooded Tokyo's emergency response phone system using an SMS message. The message, which hit more than 100,000 mobile phones, invited recipients to visit a web page. Unfortunately, when the users attempted to visit the web site, they activated a script that caused the phones to call 110, which is Tokyo's equivalent of the 911 emergency number in the United States. Thus, the virus could have indirectly resulted in deaths by denying emergency services.
SMS Attacks
A potential vulnerability of SMS is that it allows a handset to receive or submit a short message at any time, regardless of whether a voice or data call is in progress. If the handset is unavailable, the message will be stored on the central server. The server will then retry the handset until it can deliver the message. In fact, there are desktop tools that script kiddies use for SMS denial-of-service bombing, such as Fruckie's SMS BoMBaH (see Figure 1). The principle behind this tool, when coupled to the power of a replicating virus, can potentially result in wide-scale denial-of-service attacks.
)
Figure
1 Fruckie's SMS BoMBaH.
Another example of such an SMS flooding virus occurred in Scandinavia. When a user received the short message, the virus locked out the handset buttons, effectively becoming a denial-of-service attack against the entire system.
Similarly, a Norwegian company found another example of malicious code. In this case, a Norway-based WAP service developer, Web2WAP, was testing its software on Nokia phones. During the testing, they found that a certain SMS was freezing phones that received it. The code knocked out the keypad for up to a minute after the SMS was received. This strategy is similar to format attacks that cause crashes or denial-of-service attacks against Internet servers.
More To Come...
Stay tuned for part 2 of this article, which traces the course of a Symbian worm that spreads via Bluetooth. In part 3, we describe a brand-new bug: a Trojan that specifically infects cellular phones, which to our knowledge has never before been seen.