Slashdot Mirror
First Symbian OS virus to replicate over MMS
Shachaf writes "A new virus, CommWarrior.a, is the first to replicate over MMS (Multimedia Message Service). From the article: 'Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.', and '"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.'"
At least it costs you money!
I hate Halo and GTA. Sue me.
The first virus... but lucky there is already anti virus software out there for your p910 :)
Cars getting infected, cell phones via bluetooth now this.
I'm willing to bet that wireless telco's created it to increase revenues... ;)
---
Programming is like sex... Make one mistake and support it the rest of your life.
It's a good thing I have no friends then.
All of my coworkers laugh at me for using such a simple phone with only basic features and services. Guess there are some benefits afterall.
You guys were so slow! I was about to do FP myself and mod myself out of existance.
I wonder if this falls under the protection of the service provider. It seems to me that they shouldn't be able to charge the user for a vulnerability on their part, but what companies should do and what they actually do are very different things.
Four roommates. No microwave. You do the math.
I used to have a symbian phone, I must say I like the OS. But this virus extorting money from people with symbian phones & giving it to the likes of vodafone is just evil. I bet the guy who wrote it works for & supports the operators. Probably some 21 year old conservative stuck up guy named Rupert who gets beat up a lot. Are there any virusses for M$ Dumbphone 2004 OS phones?
I'd like to know why those MMS and SMS are priced the way they are?
Why wont anyone allow a flat-rate service? I mean.. it's data, but Im sure the cost of building the cellular networks should be paid off by now (excluding 3G).. at least here in sweden. (dont know how it's worldwide)
Cell phone carriers should have some way of distinguishing from messages that are the result of virii/spam and not charge the affected cell customers for those activities. If they don't, I see hordes of cell phone customers suing carriers chanting "Can you hear us now???"
i mean, like, these dumb kids who spend
2$ for a simple 150x100 pr0n pic..
i want to get rich that way, too.
So, the question is...
Are the customers reponsible for all the charges incurred from this virus? Being that it probably uses a flaw in the phone's OS itself.. how is this going to work?
Nobody is going to want fancy new fangled smart-phones if they get infected with viruses and run up your phone bill monthly..
Excuse me, I don't mean to impose, but I am the ocean
...message, on an already well known-format, shouldn't it be possible for service providers to block the messages through the MMS MX handlers? And/or simply not bill the customer for the sum of messages sent with that format. Of course, isolate them from the network if possible (remove their permission to emit MMS messages at the MX) until the malware can be removed from their device. Just a thought. Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.
Informatus Technologicus
I keep misreading it as sybian every time I see it.
What a remarkable "coincidence".
I never put any credence into the ativirus companies writing viruses conspiracy theories but, that one's just too fishy.
-- Nothing unusual happened today
Too much tinfoil can cause interference with your cell-phone reception..
besides, it couldnt be the phone companies thats to direct. its obviously the anti-virus companies..
They're in it with the martians.
air and light and time and space
Anti-virus software is a sign of platform's maturity... a sort of an OS Bar Mitzvah. There are probably Nokia engineers working on new worms, tightly collaborating with their anti-virus engineers.
Here's an old school idea that doesn't get viruses and doesn't cost nearly as much.
Ha! When I was your age, "old school" meant using a rotary dial, pulse landline.
Get a Windows CE phone :)
It seems to me that since most people get their phones for free when they sign up for a plan, the cell phone companies should bear the cost of this virus. This cost will inevitably be passed on the the concumers. My point is that it should be the responsibility of the cell phone companies to keep their products and their networks free of viruses. Dwight Yokel BEEP BEEPING his neighbor in the next trailer over, should not be expected to pay and money or attention to this sort of concern or worry about extra charges on his bill because his cell phone company runs a flawed service.
So will this get MMS to work on my phone?
someone you didn't expect to get it from.
this needs manual installation by the 'victim'!
not very likely to spread too far either - a lot of people don't have even the mms settings in place.
world was created 5 seconds before this post as it is.
What was Paris's #, I need to send her a mms message.
....to the article mentioned in the /. blurb.
Not to toot my own horn, but I worked for a company last year, where we made an AntiVirus product for Symbian, which can handle SMS message viruses. website: http://www.fb-4.com
As other posters have mentioned this is a trojan, not a virus. It requires the user to actively choose "Yes I wish to install" and following that it requires them to choose "Yes, I know it's from an untrusted source but install it anyway".
This is hardly going to take over the world. What we should really be worrying about is the possibility of a real virus/worm - something that spreads without user interaction.
From TFA:
CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.
Doesn't really seem this is Symbian's fault, CommWarrior just behaves like a malicious application. The user obviously has to install it and then run it to get 0wned.
Of course, some sort of sandbox environment like in Microedition Java would have been a better design, but I guess Symbian simply wasn't built with something like this in mind. I know Nokia is pushing a model where only certified developers will be allowed to write applications that access sensitive functionality (dialing numbers, sending messages, etc.), but this is not a great solution. It will drive the cost of applications way up, and shaft all the small app developers, because only the big guys will have their apps signed by Nokia.
When will people learn the more features something has the more holes it has in it. My cellphone can take calls and text, doesn't even display colour but if I have a car accident or I get injured it'll do the job just as well as any "3G super mega hyper magical edition" phone.
Maybe people need to learn that the home phone is better for calling friends and mobiles are mostly for emergencies and when someone needs to urgently contact you..
I like muppets.
Don't buy MMS capable cellphones. They're pricey to operate even if they're cheap ("give away razors, sell blades" sounds familiar?). Service fees from cellphone companies are 21st. century #1 ripoff, there's no reason to help them making more money.
"Ha! When I was your age, "old school" meant using a rotary dial, pulse landline"
/now git off my lawn!
whippersnapper! Back in my day we used smoke signals and drums. And thats how we liked it.
I just love vendors who shrug and say "This is gonna hurt you a lot more than it's gonna hurt me. Sucks to be you."
What's the name of this company, 'Lumburg'?
Luxury.
We had a telegraph, and it suited us just fine (spits).
Of course, every now and then a herd o' buffalo would knock down a pole, and we'd have to go ridin' out there to fix it in a blizzard. But, then, I guess you youngsters are used to havin' it easy.
(Eagerly awaits even-more-outlandish response)
Keep your friends close.
Keep your enemies in a little jar on your desk.
Per Symantec - SymbOS.Commwarrior.A is a worm that replicates on Series 60 phones. It attempts to spread using Multimedia Messaging Service (MMS) and Bluetooth as a randomly named .sis file.
--
So how many Lexus's are affected? (OK I dont like Lexus's so from now on multiple Lexus vehicles are referred to as LEXEN!)
News Reporters Make Tasty Polar Bear Treats!
This begs the question though, that in the same circumstances of having a MMS provider being responsible for their traffic, shouldn't ISP's be responsible for the traffic being issued over their lines too? But wait a moment, aren't they released of all liability due to their title as a 'common carrier'?
Before you start pointing the finger at the ISP's, you have to think deeper into the repercussions of moderation of their networks. More moderation simply means more people to control what is being passed through; this means more salaries to pay. It wont be like Slashdot where everybody volunteer's, but rather just like any other business where people are paid to do their work. These additional salaries will be paid for by your MMS messages which already cost a hefty amount.
Suddenly somebody is sending child porn over their cell phone. Will the MMS provider be responsible for this content now? I don't believe it is fair to put all of this weight on the shoulders of the ISP, primarily because it's the users of the service who will be hit the hardest in times of moderation.
I don't know about you, but I would rather have a 'free' internet where I can do what ever I want (within a legal boundary) instead of having a MMS provider or ISP monitor and decide what I can and cannot do.
Sometimes people simply have to take their own responsibility for being on these networks.
News like this makes me happy that I have a very simple phone with simple features. All a phone really needs is to be able to store numbers and make phone calls. That's it. Anything else that could in any way compromise security should not be included.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
... we can really measure the cost this virus wrecks - instead of those ungodly amounts that everyone and their grandmother panders about when a PC virus spread...
Perhaps I mis-RTFA or just don't understand MMS, but whenever my mobile is active it causes amplifier noise (talk or send/receive SMS). CDMA or GSM. Computer speakers, car stereo, whatever. Wouldn't a constant transmission be noticable?
Well at least with a pulse line, and with them fancy acoustic modems, we could connect to teh local BBS.
Try doing that with your telegraph.
Why isn't the cell phone's embedded code not written and executed in read-only memory? I understand there *may* be a need for volatile memory to read/write data to a stack/heap; however, why should data written to such memory *ever* be executed as code! I'd really like to know from someone who writes embedded systems for cell phones.
Why is it a big deal to get a virus on a symbian, I've seen what they use those for in the industry, and those girls can't be that clean...
(oblig syb-symb reference)
I mean, the RFCs for MIME came out, what twelve years ago? Injudicious MIME implementations have been vectoring trojans ever since.
So, you'd think they'd have taken a lesson from a decade of history and limited the power of multimedia attachments.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
I wouldn't want one of those with a virus!
...but the text in the MMS says: "Your cell phone clock may be wrong. Would you like to keep it accurate?"
T-Mobile offers unlimited data and SMS on their Sidekick plan. I'm pretty sure they offer unlimited SMS to encourage people to use it instead of email/IM, which take up more air time/bandwidth. As an added plus, the Sidekick stores SMS messages on your SIM, so they can't be retrieved should someone discover your password. ;)
Modern phone operating systems have security features built in where the application installer will only allow *signed* applications to be installed. A virus / trojan wouldn't get signed because it has to go through an acceptance program.
The first Microsoft smartphone product had this feature turned on - normal joe's couldn't install software that hadn't been signed (the signing process usually costs $$ although recent efforts have reduced the cost).
Symbian *has* the same functionality. In fact, most commercial symbian software should now be signed, see Symbian Signed Symbian also has the functionality to disallow users to install unsigned programs. It is just that this feature is turned off by default (at least on the phones that I have seen).
Theoretically, all an operator needs to due is send an OTA message to turn on signing verification. This is easily done on a windows mobile and presumable via WAP push on Symbian. We probably will see operators start to turn on signing requirements by default on symbian phones (hopefully with the capability for users to turn it off so they can install freeware if they so choose).
All too often, a virus costs somebody time. They are willing to accept it as just a lost of that. Instead, society needs to start accepting that all virus represent lost money. Once they do that, they will start looking for alternatives to where 99.999 % of the virus occur at.
I prefer the "u" in honour as it seems to be missing these days.
YOu were lucky why in my time, we didn't have those newfangled telegraph. We didn't have Smoke signals. We couldn't even yell. All that HAD been invented was a binary grunt language. arrg agh arrg arrg agh agh
If you have a internet connection for which you pay per used bandwidth and you get a virus, do you get refund? You get 0wned and someone uses you as a spam relay, you get black-listed. Should you get refunded?
No. You should make sure that you have up to date AV running and you have firewall installed and configured. Even if the terminal is more widely spreaded than the internet connections are, and to even more clueless users, it's up to users to make sure that their system is secured.
Yes, there are ISPs which disconnect infected clients from their network and will not forward virus infected emails, but some of them don't care.
Of course there will be companies to provide AV and FW applications. Of course they wont be free. But then again, who can blame them. If you want to get it for free do it your self, GPL it and make sure that everyone can enjoy it.
-- Reality checks don't bounce.
I know this would totally suck because the user would lose his contacts and all his information, but isn't it possible to do a hard reset on these devices which cause all the original software to be reloaded thus wiping out the vir(us/ii)?
I am d3matt
...with computers and operating systems yet. No OS vendor so far is accepting any liability for all the various viruses and trojans and whatnot that infest the internet and get on peoples machines running that OS. No ISP is accepting liability claims or paying out either as far as I know anyway. So there ya go. It's in the EULAs and various other contracts consumers "voluntarily agree" to. Why should the small computers in phones with their OSes and apps and the vendors there be any different? Until we can force by law that software makers/sellers/leasers/licensers have to offer some minimum normal consumer warranties, it will continue to happen. As it is now, it's almost pure "caveat emptor".
Eh, look at it this way, does Microsoft write viruses? After all, it's really suspicious that you hear about vulnerabilities and there are already viruses that take advantage!
Except that Microsoft doesn't charge you for its service packs, whereas anti-virus companies charge you for their products. Microsoft says, "A flaw has been discovered, here is the patch to download." Norton/Symantec/etc say, "Here is a new virus. You can download the latest signature files if you have purchased $PRODUCT, or you can purchase $PRODUCT now for only $AMOUNT to protect yourself."
Of course, that's ignoring the fact that Microsoft generally does not acknowledge a flaw until they have a working patch, even if it is months after the flaw has been publically exposed.
Apples to oranges.
Unfortunately I had to review my opinions about people having to be stupid to accept unknown software.
Well, anyways there is times when people except messages from certain providers. Like when people are arrive to a new country they are quite accustomed to a welcome to a new country messages.
As an example I know a case where one of our customers did accept Cabir over bluetooth because it was send with a sender name of a local operator. Unfortunatily I can't see a difference in a MMS case. User that thinks that he's getting updates/welcome message for his current country propably will accept the message.
And for the last part.... at least in Finland most new user will have MMS settings in place (i.e. they may get them automatically depending on the operator).
.... it's coming
The telecom operators are already filtering these infected MMS messages.
The only problem is indeed the cost of sending these messages. I do hope that operators are not charging customers for these undelivered messages.
-------
Warning: Slashdot may contain traces of nuts.
In most of europe cellphones are essentially premuim rate numbers. Unlike the US where the cellphone holder pays for every minute, europeans place the cost burden on the person making the call.
Typically these rates aren't too bad, but when you start calling from one network to another they can get VERY high. In the UK I would pay close to 1$US/minute to call from orange -> tmobile.
Text messages are generally very cheap and practical. Plus they are better for communicating certain types of information since you have a record of it. Not to mention the privacy issue of being able to text when you are in a meeting at work or in a resturant.
On top of that you can IM with people on their computers.
BTW, what the hell is Yahoo (not) doing with their SMS? What's with the limited carriers? And it doesn't work half the time anyway. They need to fire people and get it working.
Im a borderline luddite :)
---- Booth was a patriot ----
Here's hoping it infects those poor braindead souls who do nothing but send text messages during class... Seriously, as anyone in high school knows, this is an epidemic. It may soon cause our school's administration to ban cell phones despite their legitimate uses.
When the PHC suggests ideas like that, well, that's preposterous. What would they know of security or viruses?
p62-0x02.txt
...man I thought they had found a way to deliver a virus via video stream. :-)
My gaydar readings say it's a pain in teh bumm.
The phone is an appliance. I didn't install, nor do I manage its software. The phone company does. Same with the software in my car's ECU, or in the microwave, or any other embedded system.
The provider, or failing that, the company who made the phone should clearly be responsible.
STUPID, STUPID, STUPID PEOPLE (although PrecisionTime seems to be popular on Windows XP, and Windows XP has a (semi-neutered) NTP client built-in, not needing PrecisionTime or any other time app)...
On my Nokia 6225 (not a Symbian phone), I can change that setting from Menu>Settings>Time settings>Auto-update of date & time. Grabs it from the network, auto time zone compensation.