Cabir: World's First Wireless Worm
The Cabir wireless worm replicates over Bluetooth connections, arriving in a phone messaging inbox as a file called "caribe.sis" that contains the worm. When the user clicks the file and chooses to install the .sis file, the Cabir worm activates and starts looking for new devices to infect over Bluetooth.
Jun 16, 2004 1:13 PM PT
The first virus designed to infect mobile phones was detected Tuesday, as reported by security firm F-Secure in Helsinki, Finland. Nicknamed Cabir, the worm uses Bluetooth technology running in Symbian mobile phones that support Nokia's Series 60 smartphone platform. Several mobile phone makers use Symbian, including Nokia.
According to the security report issued by F-Secure, the Cabir worm can only reach mobile phones that support Bluetooth, have it turned on and are in discoverable mode.
The worm currently has no harmful effects, but that does not mean it is not important, noted Alfred Huger, senior director of engineering for Symantec's security response team. "The virus represents a wake-up call," he told TechNewsWorld. "Just because this one isn't dangerous doesn't mean the next one won't be."
Anatomy of a Worm
Cabir replicates over Bluetooth connections, arriving in a phone messaging inbox as a file called "caribe.sis" that contains the worm. When the user clicks the file and chooses to install the .sis file, the worm activates and starts looking for new devices to infect over Bluetooth.
If the worm is activated, it writes "Caribe" on the screen, and will become active each time the phone is turned on.
The infection spreads very quickly, usually before a user can disable Bluetooth from the system settings.
F-Secure has issued a security patch on its site that will detect Cabir and delete the worm components, as well as the worm files from the directory.
Not Harmful Just Yet
The worm was created by a group that is known for developing viruses to demonstrate vulnerabilities in technology, Huger said. "This is a group that's done some watershed type of activities," he noted.
That means the virus was given to security firms that were able to dissect the worm for examination, rather than maliciously released into the wild.
But the next attack might not be so civilized, F-Secure noted. The company warns that the discovery of the worm proves that technologies are now available to create viruses for mobile phones, and that those technologies are now in the hands of virus writers.
Antivirus experts have been girding themselves for mobile security threats as the adoption of devices has grown. One protection against more widespread virus threats over mobile technology has been the way that cellular technology works, said Yankee Group senior analyst XJ Wang in an interview with TechNewsWorld.
He noted that, in PC threats, viruses can be delivered directly to the user through Web sites and e-mail. But in cellular technology, most Internet-delivered content is first filtered through a carrier, where security can be implemented.
"I think on the cellular side, it's much easier to prevent virus infection, because every carrier has a mobile e-mail gateway," Wang said.
Are You Blue?
Cabir is a different kind of threat, however, because it does not come through a carrier. Huger said, "This uses Bluetooth, so you're not calling anybody. It just searches around the proximity to see if it can find another Bluetooth device, and infects it that way."
Mike McCamon, spokesperson for Bluetooth, told TechNewsWorld that the trade association is currently in the process of contacting the individuals that created the worm, and are also investigating security reports that are still coming in.
"When it comes to Bluetooth, security is a very big deal," he said. He added that it's important to note that the Bluetooth link has not been broken or hacked. Rather, Bluetooth is being used as a delivery mechanism.
"It's similar to the Internet and viruses there," McCamon noted. "It's not that the Internet itself is insecure; it's that it's being used to transport viruses."
He added that another item to note is that the worm can only be propagated if a device is in the discoverable mode, which means it is waiting to accept a connection. Most device manufacturers have this as a default setting, he said, but a phone can easily be switched to a nondiscoverable mode.
User, Educate Thyself
Although the Cabir worm is not considered a serious threat, Huger still emphasizes the need for widespread education about mobile security.
He noted that the worm can only infect a phone after an installation message to the user, and this shows how crucial it is to have users understand proper virus-protection techniques.
There are some antivirus tools and products available for mobile technology, and Huger strongly recommends that mobile users at least investigate these to protect themselves.
"It's the same kind of prevention that people need to do with their PCs," he said. "Now we have to extend that thinking about antivirus strategies to mobile devices."