Understanding the Cabir worm


By Matt Piercy, UK country manager, F-Secure

The Cabir code has been written in order to infect mobile phones, and shouldn’t be any more surprising than finding ‘malware’ in a conventional PC-based network. Mobile phones and handheld devices are computers too, with operating systems and downloadable application software. They’re just as vulnerable as their desk-based cousins, and this point has been proved with Cabir, even though it is currently just a ‘proof of concept’ worm.

Cabir disguises itself as a Symbian utility called ‘Caribe Security Manager’ and is sent in Symbian’s .SIS file format. If the user accepts the file, Cabir activates. It causes the display to ‘Caribe’ each time the handset is turned on, and will trigger the infected phone to search for nearby Bluetooth-enabled devices to pass itself along.

This closely mimics the ‘social engineering’ behaviour of conventional e-mail worms, which arrive as a file attachment and need the user to activate them before propagating. The rapid spread of malicious e-mail attachments demonstrates how willing users are to ‘accept’ unknown applications and unwittingly assist the spread of infection.

Cabir also shares the highly infectious nature of conventional worms. When F-Secure analyzed the sample of Cabir it received from the virus-authoring group 29a, tests of its infectious capabilities had to be done in the company’s shielded bomb shelter, to prevent the worm from connecting to other Bluetooth phones and spreading.

Despite the development of Cabir, it is unlikely that the mobile sector will see large-scale infections in the near term. Mobile phones are currently less vulnerable than PCs, a world in which the ubiquitous Windows operating system has provided a uniform target for many viruses.

Unlike personal computers, it is not possible to penetrate the software of most smart phones without approval – but that’s not to say it’s never going to be possible. Smart phones have been designed as open, programmable, networked devices and therefore lie vulnerable to attack. Future viruses could conceivably spread to every name in a user’s phonebook, wipe out information on a SIM card, cripple a phone, or perhaps even hijack talk-time.

Also, as devices become increasingly inter-operable and communicative, viruses could soon evolve to spread wirelessly across platforms – for instance, from PC to phone and back to PC again, multiplying the risk of an infection from any one source.

With more than 1 billion mobile phones in circulation worldwide, the sector is a big new target for would-be virus writers. While device manufacturers scramble to neutralize the new threat, consumer education clearly needs to step up quickly to this and other emerging menaces. How many Bluetooth phone owners, for instance, know how to switch their phone to ‘non-discoverable’ mode – a basic protection against the Cabir virus as well as data theft?

The emerging mobile virus threat calls for new measures from software vendors, service providers and users of mobile devices. In the same way Cabir mimics the actions of conventional malware, content security for mobiles needs to follow current best practice in conventional networking. On-device solutions such as the Symbian Series 60 version of F-Secure Mobile Anti-Virus detect the Cabir worm and are able to delete the worm components.

A mobile handset, like a PC, will need anti-virus software to monitor for viruses distributed and propagated via the device and a personal firewall to protect against internal and external attacks on the handset. What’s more, the mobile infrastructure itself will need gateway-level scanning to protect back-end networks that communicate against attacks and vulnerabilities.

Cabir’s arrival should signal a watershed for the mobile sector. The challenge is to secure the mobile internet before infections take hold.