Worm Developed for Nokia Series-60 Phones

← Back to Stories (view on slashdot.org)

Worm Developed for Nokia Series-60 Phones

Posted by CmdrTaco on Tuesday June 15, 2004 @02:04AM from the reducing-cell-phone-calls-is-not-a-bad-thing dept.

Tuxedo Jack writes "It had to happen. The first worm designed specifically for cellular phones has been developed, and Cabir appears to be a way of effectively killing Nokia Series-60 cellular phones via shortening the battery life due to scanning for nearby Bluetooth devices and propagating itself. This still relies on a user to open it, so hopefully that won't be many, and those that do must use a file manager to find and kill the worm. At least it isn't a dialer!"

16 of 260 comments (clear)

Min score:

Reason:

Sort:

Site is down... by Mz6 · 2004-06-15 02:05 · Score: 3, Informative

Well... I couldn't get the Symantec site to come up.. Is Anyone else having similar problems?
After searching Google news and other sources I could not find a similar story anywhere besides this similar story posted on ZDnet Australia. The only problem is that it was dated back 10 February 2004. Not sure if it's the same story... or same worm but worth a read for those that cannot get out to Symantec.

--
Hmmm.
K.I.S.S. - simplicity is key by ack154 · 2004-06-15 02:05 · Score: 5, Informative

I'd just like to say that this is why it's still nice to have a phone with relatively limited features - well, that and it's a Motorola (T720). I don't have to worry about the Bluetooth stuff, and I don't even have web access activated on it.

Also, according to the SARC article linked - this worm will attack any bluetooth device that it finds in it's range - not just phones - SARC uses a printer as an example, but what about those nice bluetooth mice/keyboards and PDAs, etc?

They have an image of the phone with the message displayed on it too.
1. Re:K.I.S.S. - simplicity is key by boskone · 2004-06-15 02:14 · Score: 5, Informative
  
  umm, the t720 is a hugely complicated phone. It can browse the web, display pictures, play games. I would not classify it as "basic" even though newer phones do more.
  
  as an aside, does yours ever lock up so hard that you have to pop the battery out to reset it?
Semantics by American+AC+in+Paris · 2004-06-15 02:05 · Score: 3, Informative

If it cannot infect a system without the user's help, it isn't a worm. It's a virus.
Sure, the difference isn't that big a deal, but to most people, there isn't any real difference between Linux and Unix...

--
Obliteracy: Words with explosions
1. Re:Semantics by shird · 2004-06-15 02:11 · Score: 4, Informative
  
  No.. that would make it a trojan.
  
  The definition of a worm isn't to do with whether or not it needs a user to run it - its just about whether it propgates via a network by itself rather than having users do the spreading.
  
  A virus hides itself in other executables and runs itself via proxy with the user not realising it. But it gernerally requires the user to do the distribution (generally without realising it).
  
  A trojan is simply a program which is malicous but pretends to be something else. If it happens to spread itself when run that doesn't make it a worm or a virus, but just a self spreading trojan. It would be closer to a trojan-slash-worm than a virus.
  
  --
  I.O.U One Sig.
2. Re:Semantics by Tranzig · 2004-06-15 02:14 · Score: 5, Informative
  
  Actually the difference between viruses and worms is that worms are standalone programs while viruses need to infect other executables to be effective.
3. Re:Semantics by American+AC+in+Paris · 2004-06-15 03:43 · Score: 3, Informative
  
  Urgh, this is what I get for posting before coffee. I had been relying on the /. blurb, since I couldn't reach Symantec (Akamai, perhaps?) Turns out the blurb wasn't entirely accurate, anyhow. From Symantec:
  The worm spreads as a .SIS file, which is automatically installed into the "APPS" directory when the receiver accepts the transmission. Upon execution, it will display a message then copy itself to a directory that is not visible by default. The worm runs from this directory whenever the phone is rebooted, so it continues to work even if the files are deleted from the APPS directory.
  ...so you're right--this is a classic trojan horse. As for the definition of 'worm', I prefer the Jargon File's version (if nothing else, it's most likely the oldest contextually-appropriate definition:)
  "[a worm is] A program that propagates itself over a network, reproducing itself as it goes."
  ...so according to TJF, it's not sufficient that it transmits itself--it must also reporoduce itself, which implies that the worm must be an autonomous program.
  
  --
  Obliteracy: Words with explosions
Re:Simple Fix by cjellibebi · 2004-06-15 02:12 · Score: 3, Informative

Anyone interested in the practice of Toothing ends up leaving their Bluetooth on. For more info on Toothing, see also here (Search for "toothing" in the page that appears - there's even a link to the Toothing forums).
Re:Just One More Reason by darkfire5252 · 2004-06-15 02:35 · Score: 2, Informative

One more reason that cell phone manufacturers need to focus on the big three (battery life, signal strength, ease of use) instead of mindless feature-creep.

As much as I wish that's what they would focus on, they will continue to focus on the holy grail of business: Profit.

I used to sell cell phones, and signal strength didn't sell a single phone for me. As a salesman, I have absolutely no clue what phones recieve better than the others. Sales reps aren't trained on reception, if they are lucky, a customer will let them know which ones they have had success with.

In my experience, the biggest selling factors for phones were a color screen, whether or not it was a flip phone, size, and unique design. When T-Mobile released the phone that swivels around instead of flips down I didn't have a customer walk by without picking it up.

If the customer is uninformed, they will continue to buy phones with buzzwords. Whether or not the sales reps are uninformed, they will continue to sell what makes them the most money. Conviniently enough, they usually know the most about that phone.
what does it prove? by randomized · 2004-06-15 02:43 · Score: 5, Informative

Really, this does not prove anything. It doesn't exploit any weakness in the system and very easy to avoid.

I am not sure how many of people who have posted before actually OWN series 60 device, but let me assure you that it's not as simple as accepting somebody's bluetooth transfer.

First of all, you must have bluetooth always on and your device available to all, which is really bad idea considering that it eats your battery much faster. Battery life of the series 60 devices is pretty small as is. Having bluetooth on is sure way to kill it further.

Second, you will have to go through few steps of actually INSTALLING unsigned application. This is VERY intrusive.

Third, this thing does not auto startup. So, when your device is drained off battery, it won't run by itself as far as I can see.

All in all, very poor attempt to create a malware for Series 60. I am sure you can get much higher propagation by installing an autoexec worm inside of S60 warez releases.

Other avenue to look into is malformed MMS message that does buffer overrun and allows to execute arbitrary code. Now this would be a real baddy because you will be infected as soon as you open a message.

Nice try, but no cake.

--
-- shortcut - the longest distance between two points.
1. Re:what does it prove? by De+Lemming · 2004-06-15 05:09 · Score: 2, Informative
  
  Good points, but...
  
  Third, this thing does not auto startup. So, when your device is drained off battery, it won't run by itself as far as I can see.
  
  From the report: "[...] then copy itself to a directory that is not visible by default. The worm runs from this directory whenever the phone is rebooted."
DNS problems by truthsearch · 2004-06-15 02:46 · Score: 3, Informative

It may be related to this morning's Akamai DNS problems. Many large sites aren't easily accessible at the moment.

--
Developers: We can use your help.
Blog Worm by darkain · 2004-06-15 02:55 · Score: 2, Informative

we think we may have the very first blog worm this past weekend as well. after reports of a potential security exploit in LiveJournal, a small team went to work to create a "proof of concept" self-replicating javascript code designed specifically to post itself in a viewers journal.

More information can be found here

a basic example of self-generating javascript code can be found here
Re:Yes, but how long until there is a dialer? Or.. by Anonymous Coward · 2004-06-15 03:04 · Score: 1, Informative

You want a phone just to make calls?

Ok, but why does this mean you don't want bluetooth? Personally I love bluetooth headsets. In case you missed it, Bluetooth was designed with headsets as a priority.
Proof of Concept == NOT in the wild by ericspinder · 2004-06-15 03:29 · Score: 3, Informative
# Number of infections: 0 - 49
# Number of sites: 0 - 2
# Geographical distribution: Low
# Threat containment: Easy
# Removal: Moderate

Yes, proof of concepts are usually converted to full blown viruses/worms/trojans pretty quickly, but I see a number of mitigating factors for this kind of attack:
- Bluetooth has a 30 ft range.
- by shorting battery life users will be less likely to carry it to remote systems (a dead phone cannot transmit it).
- Bluetooth connections must be accepted.
- The file also must be accepted.
It is very similar to a virus being spread by email attachments. Most likely the only fix for this would be a stronger warning on the phone when a file is being passed from a Bluetooth connection.
--
The grass is only greener, if you don't take care of your own lawn.
Not only Nokia series 60 are affected... by capmilk · 2004-06-15 03:34 · Score: 4, Informative

...but also other Symbain OS phones like Sony Ericsson P800/P900 and Motorola a920/a925.