Slashdot Mirror
Mabir.A Virus Targets Symbian Phones
adennis writes "Exploiting bluetooth and weaknesses in the OS, the Mabir.A virus, like its predecessor, targets the version of the Symbian operating system running on Nokia Series 60 handsets. Since Symbian is the dominant smartphone OS, found on phones made by Motorola, Siemens, Sony Ericsson Panasonic and Nokia, this virus could have great impact. Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"
Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?
Wouldn't an automatic update system serve to make the software more secure?
Digital Sailor
again?....whats the point of viruses in the first place.. evil teens with no life
There was a time when a virus could install itself just be latching onto a 3.5" disk boot sector and infect tons of machines without anyone having the slightest clue as to its existence.
Nowadays, viruses are so pussified that they need to ask the machine owner to install them. How sad.
I'd say they'll be wanting to make these phones secure, and be sharp about it. Fair enough, these phones with sophisticated OSes are fairly new, and you might expect them to get hit by viruses to start with, but now that the first few viruses have struck the phone companies are going to want to get these phones as secure as possible, so that they can't get attacked so easily in future. Obviously, there's going to be a need to continued updates, as viruses continue to develop and evolve, but more basic levels of protection need to be introduced first.
Santa's suicide mission go!
I wonder if the fact that the recent OS X vulnerability still unpatched after more than 2 months with the symbian component of iSync is related to this? would it be possible for an infected mobile phone to use the exploit in the mrouter code on OS X to infect the OS X machine remotely?
Why shouldnt the creators make the system more secure? Its their responsibility to make it more secure. What if you have to dial 112 (911 for people in other parts of the world) and you cant? Phones have to be secure. I can live with my Windows box isnt but damned if my phone isnt secure.
So, I guess this is becoming more and more ordinary, writing secure code is not going to happen, and with new ways in (bluetooth, browsing with the phone, wireless access via phone in the future?) and so on I think we just have to rely on autoupdates for every os with no exception of PAN-devices. Just like we humans have constant amount of bacteria in our mouths we have to get used to having a constant flow of viruses through our computers/phones/pda's etc.
I will turn off bluetooth or set my phone's visibility to off.
I will turn off bluetooth or set my phone's visibility to off.
There, was that so hard? If for some reason, you refuse to do that, don't accept files from other devices unless you specifically know they're ok. You know, just like you do with your email.
The unsig!
I had to read quite a way down TFA before I actually came to the information detailing what the virus actually does.
"At this point, mobile viruses are more of an irritant than a serious security...the messages that Mabir sends do not contain any text message, only the info.sis file.
So it seems this virus is more of a proof that they can be spread via phones, which we already knew, rather than an attempt to actually damage or corrupt the OS. Hopefully it'lll persuade manufacturers to work more on their phone security, rather than obvious new features for the user.
I'm not stressed. I'm just terribly, terribly alert.
Is there a convention in naming viruses? For example this is one is called Mabir and the A is a variant or type classification?
Saying that this virus exploits Bluetooth is similar to saying that a windows virus exploits CAT5. The software running on the phone is vulnerable, not the transmission medium.
A lot of people already have to update their roaming info. Why cant this stuff be updated at the same time? Current phones wouldnt be able to, but Im sure cellular providers would rather do that than suffer the wireless version of a DOS attack (you know it will happen).
I own a Nokia 60-series phone and much to my surprise I encountered the above mentioned predecessor (Caribe/Cabir) in the wild. (Yep, my bluetooth's always on)
I received over 20 identical messages by Bluetooth messaging, all containing a single application-installation file: caribe.sis I had to approve the reception of the message first before I could view the contents. As I browsed the message contents, a further warning that it contained an application was issued, and I image the standard "not-signed" warning would as well if I'd try to actually install it.
That's 3 warnings I would have to ignore before the virus is installed. Surely in this day and age anyone's brains would have kicked in and wonder whether it would be a wise idea to install an unknown program sent to you by an anonymous stranger? Mobile-phone virii are all still very proof-of-concept in my book...
Patching mistakes after your customers have suffered for them is a little different than doing it right the first time around.
70e808a22cb027cde4a6abddf6435d55
Will mobile OS companies, like desktop OS makers, have to start an automatic update system, or will the OS creators have to start making their software secure?"
Not having every single Bluetooth service known to man switched on by default when the phone leaves the factory would be a good start. The first thing I did when I got my new PDA phone was to switch everything off except the BT Headset and File Transfer which I set to Maximum possible security since it wasn't set like that by default. Strictly speaking the FT services should only be activated on a need-to-use basis but I don't carry alot of sensitive information on my PDA phone and what there is I have encrypted on an SD card. That would incidentally be another good idea, if manufacturers were to install some sort of file-vault software as standard. I had to install the file-vault software as an optional software package from the companion CD that came with my phone.
Only to idiots, are orders laws.
-- Henning von Tresckow
What a great idea. I'm sure this will work just as effectively as the USA executing alleged murderers - brutal as it sounds, it has at least reduced the murder rate to one of the lowest in the world.
This theme is beat to death. So called "virus" require answer "Yes" three times to be installed. The most vocal reporter of these viruses is F-Secure, manufacturer of anti-virus software for symbian phones. Their CEO speaking on one of the previous virus: "somehow, I'm not sure exactly how this virus get installed on my phone" He did't remember answering "Yes" three times ?
"Please execute this program to destroy your system" is what the approach would have to be and doing a hard reset of all of the memory and hotsyncing it would completely wipe the thing out of the system. This is where volatile memory and a somewhat restrictive setup will benefit the user.
will the OS creators have to start making their software secure?
All commercial operating systems are written to the point where the security is just good enough to sell the product and no further.
When operating systems are tied to the product or the vendor has a monopoly on their market then the point of 'just good enough' is reached long before the end user can regard the product as secure.
I predict: Software security will only become worse as consumor adoption of future devices hostile environments such as the internet increases. Within 10 years, end users will be comfortable with performing routine software maintainence on a myriad of devices they currently consider reliable over the life of the product. This will include: all communications products; vehicles; home automation and security; entertainment systems; electrical white goods and diy tools.
When the dominant multi-purpose operating system can be regarded as usuably secure out of the box for the life time of the product, then I'll reconsider.
"Those who cast the votes decide nothing; those who count the votes decide everything." (attrib. Joseph Stalin)
Why is Slashdot's icon (top right) for the "worms" section a picture of a caterpillar, which is in no way related to a worm?
The evil empire (MS) would have done this ages ago (yes they'd still be bugs that would let things thru, but it'd be better) if it wasn't for programs assuming they can write anywhere etc. MS trapped themselves. With phones being so young, and also being a new product every version (the OS dependencies are small), it'd be hard for them to excuse there being security problems.
But auto update would also be needed, no software is perfect.
You're joking aren't you? The UK has a per-capita murder rate about one quarter that of the US, and many European countries are significantly lower.
Both. Or maybe... isn't it far better for socializing that you're able to talk about how Windows didn't work and you fixed it than to own a machine / gadget / technology that simply works.?
So maybe the answer truly is Neither.
You're assuming they're not the ones who wrote the virus in the first place...
Simple trick, don't buy phones known for crappy security. Symbian phones have been attacked before...
Though I agree this highly bad virus that requires the users permission to install is hardly a "virus" and more of a darwinism.
tom
Someday, I'll have a real sig.
Unfortunately, whenever they make things foolproof, along come the better fools.
Gentoo Linux - another day, another USE flag.
I'm am an experience commercial software developer on the Symbian platform. I have a strong background in many other platforms and i the context of this message, my anonyminity is important since my company can be sued by Symbian just for a biased negative opinion of Symbian made publicly.
Symbian OS is the most expensive platform to develop on. This means more expensive money and time wise. It takes 3 times as many developers to deliver the same product in twice the time as on comparible platforms (brew, iTron, etc...) as for platforms with real development tools such as Windows Mobile, we use ten developers on Symbian to every one on Windows Mobile to produce a lesser product.
Symbian has limited hardware level debugging support (if any at all), they lack so much as a command prompt to log to.
They lack decent compilers and you're stuck with GCC or ARM Realview (neither are that good, satisfactory at best on ARM).
Documentation is aweful at best.
A simple program requires you to just through hoops, more complex sets the hoops on fire.
The emulator environment emulates nothing and simply tries to implement the Symbian UI APIs on Windows and all system level stuff is just layered on Windows. That's fine if you don't need to do anything at the system level.
The development environment is heavily based on CodeWarrior these days. I find this funny since every other company (Nintendo, Sony, Be, Apple, etc..) where Metrowerks had a good footing, the companies found it more profitable to dump CodeWarrior and do it themselves instead. Symbian is the only company stupid enough to choose to rely on Metrowerks, especially with their pathetic resume.
As for security, the fact that anyone could possibly ship a product based on Symbian is a miracle in itself. As for securing it as well, I think you're just asking too much.
I think it is quite silly and worrisome that PC users have to be so concerned about virii and spyware and have to invest time and effort in dealing with these hassles. Now we've got to have these same annoyances for our cell phones and PDAs? Excuse me?
No one wants to think about security until it's too damned late. Better to deal the issue up front than take a hit later. But will they listen to little ole' me? Nope!
So I sit by the side lines and watch with glee the idiots making the same lame-brain mistakes over and over again, and then have to suffer for it -- or their customers have to suffer for it. Talk about divine comedy. Now that's entertainment!
Ruby Neural Evolution of Augmenting Topologies
Yep...
http://news.bbc.co.uk/1/hi/world/153988.stm
Nowadays, users are so pussified, that if you tell them there's a virus called "*.*", and it's in the windows folder, they will happily check which files are infected - just tell them to type "dir *.*" at a command prompt, and then believe you when you tell them that to remove the virus, all they have to do is type "del *.*"
Symbian phones hardly have crappy security. They are targeted by "virus" authors because they are the only popular open smartphone OS around.
Incidentally, there is basically no way that an open OS can protect against this sort of thing. If the user has the ability to install applications, the user has the ability to install viruses. There are two obvious ways to stop trojans like this spreading over Bluetooth:
1. Disallow the reception of applications over Bluetooth. But then how would users get legitimate applications from their PCs to their phones?
2. Only allow "signed" applications to use Bluetooth. But then small third-party developers would find it difficult to develop and market their software without it getting "signed" (at probable expense). And what about freeware?
In any case, Symbian are changing their security model to try to combat threats like this one, no matter how based on FUD it is.
I seem to recall stories a few months ago about it...
Eitherway, stupid users can darwin their cell phones. So long as they don't add to the email spam problem I don't care!
BTW [ot] if you want to have a lot of fun with spam, open a yahoo account, post the address in a bunch of usenet forums, turn off spam filtering and wait a couple of weeks.
Then open up your inbox (which will likely have around 1500 spams in it) and sort based on subject.
Seeing 23 "CONGRATUALATIONS" in a row is just hilarious...
Tom
Someday, I'll have a real sig.
Just as the predominant, most accelerated technology growth comes out of human conflict (ie. war), computer security evolves fastest when it is forced to react to real-world situations.
There is no point in asking what their motivation is; heck, I was 16 once too. Plus, nowadays many virus writers are actually commissioned by greater evils, like spam/malware/etc.. comprimised (zombie) machines (of any type) can be misused in a variety of ways..
He remembered that all right, and he followed the script when talking to the press.
You insinuate the CEO is slow for not remembering clicking "yes" - I insinuate you are slow for not realising this was fiction, a marketing trick.
Am I the only one that misses some of the great cell phones that were actually designed specifically to be the best form of wireless voice communication? I sure wish I could buy a new manufacture Motorola StarTac today!! Black-on-green screen - NO crappy color screens. No stupid ring tones. No photo album. No crappy camera. Two-WEEK standby time!! Just a damn good PHONE...nothing else.
/rant
You blame F-Secure, makers of F-prot distributing FUD?
How old are you? 16?
Read some IT history about F-Prot. You will understand they really don't care about your $something.
I am just afraid of people like you administering Symbian sites, really afraid.
If I ever buy f-prot for my mobile, if there will be a reason ever, it will be people like you.
How many users of you care about exact 3 warnings when they download/purchase any sis from your site?
For people never used Symbian, you must PAY to Symbian/Nokia as a developer (free or not!) to get a "security signature" for your application.
I'd expect something like "This is what Nokia deserved, they tried to rip off developers by Symbian security signature and entire community 'learned' not to care about security alerts"
Not some bs like F-secure cares about your money.
I just wonder how many threats Karpersky labs does found and not announcing because of people like you. Who are them? Oh, just another crooks, going for money!
From the TFA:
Before infection you get multiple warnings before you install the malware.
So, in fact, the OS manufacturers are already making the OS secure (modulo the caveat that no OS is truly secure, bugs will be found etc).
I thought they meant Sybians.
The symbian community learned to bypass all security alerts saying "yes, yes".
;)
You know the reason? Even the best symbian coders have to instruct users to IGNORE security alerts because they can't afford to buy a Symbian signed license for their application.
Only being a user, I suppose Nokia wants money for it.
About your OT: Got no spam for 3 weeks, looks like even spammers have some kind of brain
Before anyone else chimes in, yes he's being sarcastic.
ease down Ripley...
" This theme is beat to death. So called "virus" require answer "Yes" three times to be installed."
It was the same for computers 10 years ago. Now they can infect you without your knowledge by going down wire. How long before our nation's high schools are one big spambot farm?
If we are going to put computers in phones, we need to put firewalls and anti-virus protection in them with the ability to be updated. Which is a security hole itself. In terms of computer technology, it is 1995 in cell phone land. Somewhere, some 1337 h4x0r is working on a way to slide his technological penis into the cell phone vagina and make babies.
If you aren't part of the solution, there is good money to be made prolonging the problem
or will the OS creators have to start making their software secure?"
Or will people like the OP finally come to realize that when it comes to code, there's usually something broken in it - no matter how big or small, and someone who takes the time to figure it out, will almost always figure a way in?
I bet the OP thinks Linux is secure too.
I just wonder how many threats Karpersky labs does found and not announcing because of people like you. Who are them? Oh, just another crooks, going for money!
You statements about Symbian bringing this on themselves by charging so much to sign executables are perfectly valid, but the one above is just bullshit.
Kaspersky _are_ well known for scaremongering and nothing you can say is going to change that. Remember the recent "OMFG teh Internet is DOOMED!!!11!!1" statements from their CEO? What happened with that? Is the Internet still working?
And since you decided to launch a personal attack on the original poster, I'm going to do the same. You sound Russian. And to have such strong views about the company I would suggest that you must have some kind of relationship with them. I think you're shilling.
In Soviet Russia, scares monger Kaspersky.
You're an idiot. Set the BT on and visibility on. Just don't install any shit that happens to come there.
But you can still get f*cked.
All the big companies, from the PC, the gaming console, the PDA and the cellphone sectors are focusing on the convergence of devices. Which is why the nintendo DS has a stylus, the Dell PDAs can play music etc. etc.
/.) it does not bode well for us in the future.
Eventually these people are picturing a superdevice that you would use for everything from entertainment to buying gas at the filling station.
In comparison to the complexity of such a device, something like Symbian OS is pretty primitive. So if they have such flawed design methodologies right now (more than one virus released, complaints from developers on
I don't want to have to deal with superdevices that contain my critical information and run on software with the reliability of MS Windows. Companies like Symbian need to look at the basic design of their systems, and make them inherently better from the start to prevent mobile devices from suffering the same fate as PCs.
>>statisc data files ..
>>malfromed photos,
malformed english?
http://www.vmyths.com
Furry cows moo and decompress.
This is a miracle! imipak, you just cracked one of the biggest riddle in fundamental physics. /. from there? I'm really keen to know!
You live in world contained in a parallel universe where the USA also exists and happens to have the lowest muder rate in the world!
Dude, can you at least tell me how you have achieved posting to
to stick with my old cellphone.
I mean, seriously... since technology advances and makes old tech cheap, I really dont understand why the companies dont release a "budget model" that just has a phone and thats it. Yeah, I know, revolutionary idea, but seriously...
Phone = making phonecalls. Any advances should be put into how well you can make them, and how good you can hear the other person, and not how many pictures you can store and still fit a signal of whatever wacky show your currrently watching that you will have to listen to the end of every time before answering.
As an employee of one of the companies mentioned in the main posting, it's obvious that you really don't know what you're talking about. The latest version of Symbian contains numerous updates in terms of security... does "Platform Security" ring a bell? These security updates even break backwards compatability with apps built for older versions, but security has been deemed more important. As for your comments on debugging... I'm involved in hardware-level debugging at the kernel level in Symbian EVERY DAY!!! There's also a console AND a DEBUG UART to log to. You can log to IrDA and Bluetooth as well. I develop using a text editor and the command line, not Code Warrior, and it works just fine. This is because the development environment is NOT based on Code Warrior. Code Warrior's just a tool, and is NOT necessary to develop for Symbian. By the way, using GCC as the compiler has caused us NO problems since we became a Symbian shop... NOT ONE. Maybe you should try actually developing on Symbian and LEARNING its INTERNALS before you spread such FUD.
So you failed the aptitude tests then?
I also interviewed with them and got a job. Pity i won't be working with you.
Well, maybe the true viruses are so advanced that really no one has a clue about their existence (which would be the reason why you don't hear of them), and the "permission to install" viruses are actually a way to detract attention from them ...
Maybe all the malware is a way to distract attention away from the real malware.
What if the real malware is the one that you willingly agree to install. Pay huge amounts of money for. Give up your freedom for. Give up control of your hardware. Willingly build up your oppressors by using. Allow yourself to be restricted, managed, legislated, licensed, and phone home for permission (activation code) when you need to change your hardware. Lock yourself ever more deeply into that particular malware system making it ever more difficult to escape.
Well, okay. Maybe not. Nevermind. Please go back to consuming.
I'll see your senator, and I'll raise you two judges.
Remember back when telephones made phone calls? Back before they started doing all this hoity-toity nonsense like surfing the web or taking pictures of your girlfriend's sister's panties under the dinner table? I miss those days.
So there!
Go back to stupidphones. My now-ancient StarTAC does everything I want in a telephone, and a lot of stuff I'd like to take out of the menus altogether. If I wanted to lug around lots of other functions, I'd keep them in a separate piece of equipment and only connect it to the phone when I need to connect to somewhere else.
Either that, or just carry a general-purpose computer and plug in a wireless module when I want to have it emulate a telephone or obtain some networked service.
"Kaspersky _are_ well known for scaremongering and nothing you can say is going to change that. Remember the recent "OMFG teh Internet is DOOMED!!!11!!1" statements from their CEO? What happened with that? Is the Internet still working?"
Mr. Karpersky didn't tell it, it was an employee of labs in a conference speaking about a possibility if the framework of Internet is not changed.
I am not russian, Ilgaz is not a russian name, I don't hide behind nicks. If I were narrow minded like you, I'd be hurting their business because of political reasons. Now I have same question for you... Do you have political relationship (positive or negative) with russia?
I have seen Karpersky antivirus installed in 10.000+ user networks, mainframes. As a computer hobbyist, I respeck them. BTW, nobody here looks as decision makers of corparate environments or able to afford karpersky license. Just a bunch of teenagers bullying industry legends as F-Prot and Karpersky.
In fact I use licensed Intego antivirus and Firewall on OS X, bite me!
Gosh once again Microsoft has dropped the ball --oops - not a Microsoft phone - nevermind
Sounds smarter than you do.
because computers are susceptible to viruses !!
Goldbug is a complex virus, made in USA.
Be proud to be an American. Be sure that you only run virii that are made in the USA!
your geek credentials have been revoked, please leave this website and hand your badge in at the front desk
Am I the only one that misses some of the great cell phone
let me guess you're American ?
I say outright - not insinuate - that you are incapable of detecting sarcasm.
I don't know how you got two weeks out of your startac.. mine only lasted two hours if i unhooked it from the car charger. You couldn't fit the thing in your pocket so you either left it in the car anyway or walked around with a stupid-looking phone holster. I imagined self-important geeks dueling in the old west drawing their phones and ... dialing first.
What makes the black-on-green better than a 10-digit calculator type display? (Not that i'll deny that screens that require backlighting are pointless for a device that should be maximizing battery life.)
There've been some advancements. You seem to be upset because the extra features are eating up all the real enhancements (higher density batteries, lower/variable power transmitters, etc)
Oh no!!! The planet of the apes is here!!! Oh wait...
Just to poke a little fun at your article (in the context of the discussion): The number one city, Washington DC, doesn't have a death penalty.
Be civil to all; sociable to many; familiar with few; friend to one; enemy to none. --Benjamin Franklin
I had a long conversation with sprint support about this, and they were willing to do it, (downgrade me for free to a barebones phone that is.)
I then discovered that the phone I had, (the screen had died) had a free replacement policy. (It was a sanyo clamshell, I forget which model.) of course the replacement then broke a week later. I have since downgraded back to my original sanyo 4500 or whatever. better range, longer battery life... the only down side is that the clock does not work out of sprint pcs range. so no alarm clock.
Sprint it seems is reluctant, but not completely opposed to giving you the low end "phone-only" handset if you want it. but for the most part, (in my admittedly limited experience) is that the phone support people are much nicer than the people in the stores. (hear that clackamas?!? though the guy near lloyd center was nice. (portland, OR for the curious))
On the other hand I just switched over to a t-mobile/nokia/symbian 60 phone. Which does not have much service in the area where I am currently (temporarily I hope) stuck. (north-eastern vermont for the still curious)
-- it's ridiculous how many people misspell ridiculous... (damn, damn, damn...)
As of 1996, your categorization of the US's murder rate as "one of the lowest in the world" is misleading. Only 23 of 86 surveyed countries had higher rates.
n t.html/
d y.html/
http://www.haciendapub.com/stolinsky.html/
Despite pro-death marketing, studies pretty consistently show that capital punishment has no deterrent effect.
http://www.csicop.org/si/2004-07/capital-punishme
In fact, murder rates tend to go up during periods in which death sentences are actually carried out.
http://www.prisonactivist.org/death-penalty/dpstu
Upset because we failed the selection process?
Well, I had an interview with them and got the job. Shame they didn't let you in. You would make an excellent office clown...
Yes, parent is flamebait. However, he's right ... I work at Symbian, and to be blunt, they're DRM whores. We've got agreements with the MPAA and Microsoft up the wazoo, with a lot of legal pressure from the contracts ready to lawsuit us out of existence if we dare to allow options for non-DRM media.
... my plans for moving are purely idealistic.
Before you ask, yes, I'm looking for other employment, preferably in an open source company using Gentoo (follow up if you know a company that might interest me (-: ). I'm assuming a GPL source company won't support DRM
Well, I've been here at Symbian for nearly a year now, and I have to wonder who interviewed you.
We have hacker personalities. We have managers. The managers keep us on target and the hacker personalities write the software.
It sounds very much like someone couldn't write a Soundblaster driver.
Oh, and by the way: you'll have to look elsewhere for your attack vectors. None of those you listed are feasible.