Slashdot Mirror
First Symbian OS virus to replicate over MMS
Shachaf writes "A new virus, CommWarrior.a, is the first to replicate over MMS (Multimedia Message Service). From the article: 'Multimedia Message Service (MMS) is a more advanced version of the Short Message Service (SMS) familiar to users of GSM based handsets around the world, and allows rich content such as pictures, sounds, video, and applications to be sent as well as text.', and '"With MMS messages typically costing between $0.25 and $1.00 CommWarrior could prove expensive to anyone unlucky enough to be infected by it. As the virus runs silently in the background it could be quite some time before the user becomes aware of the potentially hundreds of MMS messages that have been sent," said Aaron Davidson, CEO of SimWorks.'"
The first virus... but lucky there is already anti virus software out there for your p910 :)
I'm willing to bet that wireless telco's created it to increase revenues... ;)
---
Programming is like sex... Make one mistake and support it the rest of your life.
It's a good thing I have no friends then.
All of my coworkers laugh at me for using such a simple phone with only basic features and services. Guess there are some benefits afterall.
I wonder if this falls under the protection of the service provider. It seems to me that they shouldn't be able to charge the user for a vulnerability on their part, but what companies should do and what they actually do are very different things.
Four roommates. No microwave. You do the math.
I'd like to know why those MMS and SMS are priced the way they are?
Why wont anyone allow a flat-rate service? I mean.. it's data, but Im sure the cost of building the cellular networks should be paid off by now (excluding 3G).. at least here in sweden. (dont know how it's worldwide)
So, the question is...
Are the customers reponsible for all the charges incurred from this virus? Being that it probably uses a flaw in the phone's OS itself.. how is this going to work?
Nobody is going to want fancy new fangled smart-phones if they get infected with viruses and run up your phone bill monthly..
Excuse me, I don't mean to impose, but I am the ocean
...message, on an already well known-format, shouldn't it be possible for service providers to block the messages through the MMS MX handlers? And/or simply not bill the customer for the sum of messages sent with that format. Of course, isolate them from the network if possible (remove their permission to emit MMS messages at the MX) until the malware can be removed from their device. Just a thought. Doesn't really seem right to charge users for something like that, espicially the less savvy who might not know-any-better.
Informatus Technologicus
What a remarkable "coincidence".
I never put any credence into the ativirus companies writing viruses conspiracy theories but, that one's just too fishy.
-- Nothing unusual happened today
Too much tinfoil can cause interference with your cell-phone reception..
besides, it couldnt be the phone companies thats to direct. its obviously the anti-virus companies..
They're in it with the martians.
air and light and time and space
Anti-virus software is a sign of platform's maturity... a sort of an OS Bar Mitzvah. There are probably Nokia engineers working on new worms, tightly collaborating with their anti-virus engineers.
Here's an old school idea that doesn't get viruses and doesn't cost nearly as much.
Ha! When I was your age, "old school" meant using a rotary dial, pulse landline.
Get a Windows CE phone :)
It seems to me that since most people get their phones for free when they sign up for a plan, the cell phone companies should bear the cost of this virus. This cost will inevitably be passed on the the concumers. My point is that it should be the responsibility of the cell phone companies to keep their products and their networks free of viruses. Dwight Yokel BEEP BEEPING his neighbor in the next trailer over, should not be expected to pay and money or attention to this sort of concern or worry about extra charges on his bill because his cell phone company runs a flawed service.
someone you didn't expect to get it from.
this needs manual installation by the 'victim'!
not very likely to spread too far either - a lot of people don't have even the mms settings in place.
world was created 5 seconds before this post as it is.
What was Paris's #, I need to send her a mms message.
....to the article mentioned in the /. blurb.
Not to toot my own horn, but I worked for a company last year, where we made an AntiVirus product for Symbian, which can handle SMS message viruses. website: http://www.fb-4.com
From TFA:
CommWarrior periodically sends MMS messages to randomly selected contacts, including a copy of itself and one of several predefined text messages designed to encourage the recipient to install the application.
Doesn't really seem this is Symbian's fault, CommWarrior just behaves like a malicious application. The user obviously has to install it and then run it to get 0wned.
Of course, some sort of sandbox environment like in Microedition Java would have been a better design, but I guess Symbian simply wasn't built with something like this in mind. I know Nokia is pushing a model where only certified developers will be allowed to write applications that access sensitive functionality (dialing numbers, sending messages, etc.), but this is not a great solution. It will drive the cost of applications way up, and shaft all the small app developers, because only the big guys will have their apps signed by Nokia.
When will people learn the more features something has the more holes it has in it. My cellphone can take calls and text, doesn't even display colour but if I have a car accident or I get injured it'll do the job just as well as any "3G super mega hyper magical edition" phone.
Maybe people need to learn that the home phone is better for calling friends and mobiles are mostly for emergencies and when someone needs to urgently contact you..
I like muppets.
I just love vendors who shrug and say "This is gonna hurt you a lot more than it's gonna hurt me. Sucks to be you."
What's the name of this company, 'Lumburg'?
Luxury.
We had a telegraph, and it suited us just fine (spits).
Of course, every now and then a herd o' buffalo would knock down a pole, and we'd have to go ridin' out there to fix it in a blizzard. But, then, I guess you youngsters are used to havin' it easy.
(Eagerly awaits even-more-outlandish response)
Keep your friends close.
Keep your enemies in a little jar on your desk.
Per Symantec - SymbOS.Commwarrior.A is a worm that replicates on Series 60 phones. It attempts to spread using Multimedia Messaging Service (MMS) and Bluetooth as a randomly named .sis file.
--
So how many Lexus's are affected? (OK I dont like Lexus's so from now on multiple Lexus vehicles are referred to as LEXEN!)
News Reporters Make Tasty Polar Bear Treats!
It is very close to impossible to infect a car via a virus like this. In fact, it would be very unlikely to break into a car through a virus in the first place. To communicate with anything vital you're going to have to find something vunerable that has bluetooth or some other means of communication that is also hooked into a CAN bus. Then you have to hope the vulnerability allows you to transmit arbitrary messages over the CAN bus. Then you have to craft the CAN frames in just the right way to exploit a theoretical hole in the CAN implementation. This just might get you access to an ECU that can communicate with the WCM (in Chrysler's case) or another security unit on the vehicle. If you're really lucky, you'll have broken an ECU that is either critical (very difficult to even communicate with) or find an exploit in an ECU that normaly communicates with a critical ECU.
All of this is highly, highly theoretical and unlikely. Especially since most ECUs don't have a generalized CAN software stack, only specifically coded transmit functionality for their specific messages. Of course, if you could port something like NeoVI or CANoe to the symbian and get a CAN card and plug in that way...you might have slightly higher chances. At least the chance of a D.o.S.
Anyway, please stop perpetuating this retarded myth of anything remotely valuable in a car's network being infected by a virus.
Can someone clue me in as to what this SMS and messaging is all for?? If you have a phone...why send text messages over it? It's a phone...call and talk to them....??
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
This begs the question though, that in the same circumstances of having a MMS provider being responsible for their traffic, shouldn't ISP's be responsible for the traffic being issued over their lines too? But wait a moment, aren't they released of all liability due to their title as a 'common carrier'?
Before you start pointing the finger at the ISP's, you have to think deeper into the repercussions of moderation of their networks. More moderation simply means more people to control what is being passed through; this means more salaries to pay. It wont be like Slashdot where everybody volunteer's, but rather just like any other business where people are paid to do their work. These additional salaries will be paid for by your MMS messages which already cost a hefty amount.
Suddenly somebody is sending child porn over their cell phone. Will the MMS provider be responsible for this content now? I don't believe it is fair to put all of this weight on the shoulders of the ISP, primarily because it's the users of the service who will be hit the hardest in times of moderation.
I don't know about you, but I would rather have a 'free' internet where I can do what ever I want (within a legal boundary) instead of having a MMS provider or ISP monitor and decide what I can and cannot do.
Sometimes people simply have to take their own responsibility for being on these networks.
News like this makes me happy that I have a very simple phone with simple features. All a phone really needs is to be able to store numbers and make phone calls. That's it. Anything else that could in any way compromise security should not be included.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Perhaps I mis-RTFA or just don't understand MMS, but whenever my mobile is active it causes amplifier noise (talk or send/receive SMS). CDMA or GSM. Computer speakers, car stereo, whatever. Wouldn't a constant transmission be noticable?
Of course, if you could port something like NeoVI or CANoe to the symbian and get a CAN card and plug in that way...you might have slightly higher chances. At least the chance of a D.o.S.
Actually, on second thought, that is slightly less likely. How many users would take apart their car, buy a CAN card (around $1000 US), find drivers for their symbian, in fact find a CAN card that works with a PDA, get a company to port their diagnostic software to the PDA, construct or buy a CAN cable (only 4 wires, not too difficult if you have a crimping tool), construct a CAN break-out box, connect the break-out box to the car, make sure all the cabling is right? All of this on the request of a program they didn't even know they had?
Only extreme geeks would do so, if only because of the pain in the ass of following directions. I don't doubt the users are stupid enough, I doubt they are motivated enough.
Why isn't the cell phone's embedded code not written and executed in read-only memory? I understand there *may* be a need for volatile memory to read/write data to a stack/heap; however, why should data written to such memory *ever* be executed as code! I'd really like to know from someone who writes embedded systems for cell phones.
I mean, the RFCs for MIME came out, what twelve years ago? Injudicious MIME implementations have been vectoring trojans ever since.
So, you'd think they'd have taken a lesson from a decade of history and limited the power of multimedia attachments.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
...but the text in the MMS says: "Your cell phone clock may be wrong. Would you like to keep it accurate?"
I'm really curious why anyone would want to send applications to someone else's phone.
I can understand pictures, sure. I can understand sound, er. okay, we have voicemail for that. I simply cannot comprehend sending someone an application. A program, something executable. It is pure overkill. Why not just refer him/her to where you got the app from? That will centralize things a bit.
Applications are the new scapegoat for "things you can send to friends". Don't want to do it in email, now you don't want to do it on your phone. Viruses have ruined the fun for everyone.
T-Mobile offers unlimited data and SMS on their Sidekick plan. I'm pretty sure they offer unlimited SMS to encourage people to use it instead of email/IM, which take up more air time/bandwidth. As an added plus, the Sidekick stores SMS messages on your SIM, so they can't be retrieved should someone discover your password. ;)
Modern phone operating systems have security features built in where the application installer will only allow *signed* applications to be installed. A virus / trojan wouldn't get signed because it has to go through an acceptance program.
The first Microsoft smartphone product had this feature turned on - normal joe's couldn't install software that hadn't been signed (the signing process usually costs $$ although recent efforts have reduced the cost).
Symbian *has* the same functionality. In fact, most commercial symbian software should now be signed, see Symbian Signed Symbian also has the functionality to disallow users to install unsigned programs. It is just that this feature is turned off by default (at least on the phones that I have seen).
Theoretically, all an operator needs to due is send an OTA message to turn on signing verification. This is easily done on a windows mobile and presumable via WAP push on Symbian. We probably will see operators start to turn on signing requirements by default on symbian phones (hopefully with the capability for users to turn it off so they can install freeware if they so choose).
All too often, a virus costs somebody time. They are willing to accept it as just a lost of that. Instead, society needs to start accepting that all virus represent lost money. Once they do that, they will start looking for alternatives to where 99.999 % of the virus occur at.
I prefer the "u" in honour as it seems to be missing these days.
YOu were lucky why in my time, we didn't have those newfangled telegraph. We didn't have Smoke signals. We couldn't even yell. All that HAD been invented was a binary grunt language. arrg agh arrg arrg agh agh
If you have a internet connection for which you pay per used bandwidth and you get a virus, do you get refund? You get 0wned and someone uses you as a spam relay, you get black-listed. Should you get refunded?
No. You should make sure that you have up to date AV running and you have firewall installed and configured. Even if the terminal is more widely spreaded than the internet connections are, and to even more clueless users, it's up to users to make sure that their system is secured.
Yes, there are ISPs which disconnect infected clients from their network and will not forward virus infected emails, but some of them don't care.
Of course there will be companies to provide AV and FW applications. Of course they wont be free. But then again, who can blame them. If you want to get it for free do it your self, GPL it and make sure that everyone can enjoy it.
-- Reality checks don't bounce.
I know this would totally suck because the user would lose his contacts and all his information, but isn't it possible to do a hard reset on these devices which cause all the original software to be reloaded thus wiping out the vir(us/ii)?
I am d3matt
...with computers and operating systems yet. No OS vendor so far is accepting any liability for all the various viruses and trojans and whatnot that infest the internet and get on peoples machines running that OS. No ISP is accepting liability claims or paying out either as far as I know anyway. So there ya go. It's in the EULAs and various other contracts consumers "voluntarily agree" to. Why should the small computers in phones with their OSes and apps and the vendors there be any different? Until we can force by law that software makers/sellers/leasers/licensers have to offer some minimum normal consumer warranties, it will continue to happen. As it is now, it's almost pure "caveat emptor".
With most providers, voice calls are a lot more expensive than SMS. In many countries, this price difference is significant enough to suffer the relative inconvenience. Messaging also has the somewhat unintended feature of being quiet to send, so it's more polite to use in public.
But you knew that anyway.
Eh, look at it this way, does Microsoft write viruses? After all, it's really suspicious that you hear about vulnerabilities and there are already viruses that take advantage!
Except that Microsoft doesn't charge you for its service packs, whereas anti-virus companies charge you for their products. Microsoft says, "A flaw has been discovered, here is the patch to download." Norton/Symantec/etc say, "Here is a new virus. You can download the latest signature files if you have purchased $PRODUCT, or you can purchase $PRODUCT now for only $AMOUNT to protect yourself."
Of course, that's ignoring the fact that Microsoft generally does not acknowledge a flaw until they have a working patch, even if it is months after the flaw has been publically exposed.
Apples to oranges.
Unfortunately I had to review my opinions about people having to be stupid to accept unknown software.
Well, anyways there is times when people except messages from certain providers. Like when people are arrive to a new country they are quite accustomed to a welcome to a new country messages.
As an example I know a case where one of our customers did accept Cabir over bluetooth because it was send with a sender name of a local operator. Unfortunatily I can't see a difference in a MMS case. User that thinks that he's getting updates/welcome message for his current country propably will accept the message.
And for the last part.... at least in Finland most new user will have MMS settings in place (i.e. they may get them automatically depending on the operator).
.... it's coming
Hmmm...where do you live? I pay a flat fee monthly...for unlimited nights and weekends...free long distance...and like 500 or so minutes during peak hours. I rarely talk on it during the weekdays..as that I'm at a desk with a landline. And if I want to send text...I use email on the computers at my desk...again, most everyone I know is at a desk working with a computer at the same times during the day.
Is pricing different in other countries?
I send pictures via my phone...but, mostly to peoples email addresses...not their phones. I guess it is just something I'd never think of....possibly that I'm in a bit older set (I know, in Korea only old people...hehehe). But, I use a phone to talk...and computers to email....and usually these messages are just to plan to meet somewhere so we can interact face to face.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
The telecom operators are already filtering these infected MMS messages.
The only problem is indeed the cost of sending these messages. I do hope that operators are not charging customers for these undelivered messages.
-------
Warning: Slashdot may contain traces of nuts.
In most of europe cellphones are essentially premuim rate numbers. Unlike the US where the cellphone holder pays for every minute, europeans place the cost burden on the person making the call.
Typically these rates aren't too bad, but when you start calling from one network to another they can get VERY high. In the UK I would pay close to 1$US/minute to call from orange -> tmobile.
Text messages are generally very cheap and practical. Plus they are better for communicating certain types of information since you have a record of it. Not to mention the privacy issue of being able to text when you are in a meeting at work or in a resturant.
On top of that you can IM with people on their computers.
Im a borderline luddite :)
---- Booth was a patriot ----
Here's hoping it infects those poor braindead souls who do nothing but send text messages during class... Seriously, as anyone in high school knows, this is an epidemic. It may soon cause our school's administration to ban cell phones despite their legitimate uses.
Price is a major factor in third world countries, where your ~$30 flat rate plan is generally unaffordable by even white collar professionals. If the person you call also needs to pay for airtime, then calling them is even a form of imposition. (Many things are cheaper in the third world, but a lot of the equipment has to be imported, and telecoms carriers are greedy.)
Where price is less of a concern, there are many people who use public transportation outside the US. This means they have more time to use their phones, but also are constrained by politeness to remain quiet.
...man I thought they had found a way to deliver a virus via video stream. :-)
The phone is an appliance. I didn't install, nor do I manage its software. The phone company does. Same with the software in my car's ECU, or in the microwave, or any other embedded system.
The provider, or failing that, the company who made the phone should clearly be responsible.
STUPID, STUPID, STUPID PEOPLE (although PrecisionTime seems to be popular on Windows XP, and Windows XP has a (semi-neutered) NTP client built-in, not needing PrecisionTime or any other time app)...
On my Nokia 6225 (not a Symbian phone), I can change that setting from Menu>Settings>Time settings>Auto-update of date & time. Grabs it from the network, auto time zone compensation.