November 29, 2004 1:03 PM PST

Skulls program carries Cabir worm into phones

Virus writers have unleashed a second version of the "Skulls" Trojan horse and packaged it with a cell phone virus, a security company has warned.

The hybrid Skulls.B Trojan horse displays images of skulls instead of the program icons on handsets running the Symbian operating system, software maker F-Secure said in an advisory Monday. It also releases the Cabir.B worm, the company said.

Cabir, which asks its victims if they would like to be infected, was thought to be a proof-of-concept virus when it was released earlier this year. The virus spreads by sending itself to other handsets within Bluetooth broadcasting range.

Phones infected with the Skulls.B hybrid can infect nearby handsets with Cabir. The Trojan horse, though, can only be downloaded and does not spread using Cabir as a vehicle. Skulls was originally distributed on Symbian shareware Web sites as "Extended Theme Manager."

When infected with Cabir, a phone displays the word "Caribe" on a screen as the worm modifies the Symbian operating system and looks for other cell phones to target.

F-Secure said that cell phones from manufacturers such as Nokia, Siemens, Panasonic and Sendo were vulnerable. It has posted advice on disinfecting cell phones on its Web site.

But Symbian has said in the past that the Trojan horse only affects mobile phones running Nokia's Series 60 software. The software developer could not be immediately reached for comment.

Mikko Hypponen, director of antivirus research at F-Secure, said that Skulls represents only a mild threat to mobile device users at this point, based on its Trojan horse design. But he said the program is indicative of a growing effort among virus writers to target wireless handsets.

"Obviously what we're seeing here are the early days of a new platform, with the bad guys trying to find different ways to attack (cell phones) and test out different technologies," Hypponen said. "Skulls' existence shows that there is increasing activity in the underground looking at phones and genuine interest in how to write Trojans, backdoors and viruses for these devices."

In addition to creating something of a template for future mobile device viruses, Hypponen said that Skull's existence highlights the fact that phones may be more vulnerable to attacks than other devices, based on their direct ties to systems that deal with purchases and other transactions.

"The biggest difference from PC viruses to phone applications are the direct links to money," he said. "If you can infect a phone you can immediately begin making calls or sending text messages to toll numbers in order to steal from someone. The theft will happen a lot faster than it did with PCs."

Dan Ilett of ZDNet UK reported from London.

8 comments

Join the conversation!
Add your comment
Cabir worm on Symbian - expect more of that!
One should not forget that platforms like Symbian and PocketPC make it easy for worms to spread. I'm suprised that worms have not more massively spread on those platforms yet, but it's just a matter of time.

Symbian OS allows native code to be downloaded and executed. There is no verification of the code executed. For example, an apparently harmless application labelled "personal diary" can turn into something malicious after installation and there is nothing the platform will do to prevent that. That's exactly what's happening with Skulls/Cabir.
Posted by (6 comments )
Reply Link Flag
Viruses will proliferate
You're right, mobile phones are a perfect breeding ground for viruses and we're bound to see them turning up more and more frequently.

Trojan's are nothing new however - you can install programs onto your PC too that appear to do something useful but are in fact malicious. I think that if a PC doesn't do something then expecting a smartphone, with its correspondingly smaller resources, probably is asking too much.

As with PC's, there is no simple answer to the problem of viruses and other malware for phones. The Symbian Signed program is a start (you can rely on a Symbian Signed app not to be malicious) but ultimately most of the software that people download to their phones will not be signed and so fairly shortly we'll all need to pick up one of the Symbian anti-virus applications that are now available through sites like Handango.

Kind regards,
Aaron Davidson.
<a class="jive-link-external" href="http://www.simworks.biz" target="_newWindow">http://www.simworks.biz</a>
Posted by aldsimworks (5 comments )
Link Flag
matter of time
<a class="jive-link-external" href="http://www.analogstereo.com/chrysler_lebaron_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/chrysler_lebaron_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Cabir worm on Symbian - expect more of that!
One should not forget that platforms like Symbian and PocketPC make it easy for worms to spread. I'm suprised that worms have not more massively spread on those platforms yet, but it's just a matter of time.

Symbian OS allows native code to be downloaded and executed. There is no verification of the code executed. For example, an apparently harmless application labelled "personal diary" can turn into something malicious after installation and there is nothing the platform will do to prevent that. That's exactly what's happening with Skulls/Cabir.
Posted by (6 comments )
Reply Link Flag
Viruses will proliferate
You're right, mobile phones are a perfect breeding ground for viruses and we're bound to see them turning up more and more frequently.

Trojan's are nothing new however - you can install programs onto your PC too that appear to do something useful but are in fact malicious. I think that if a PC doesn't do something then expecting a smartphone, with its correspondingly smaller resources, probably is asking too much.

As with PC's, there is no simple answer to the problem of viruses and other malware for phones. The Symbian Signed program is a start (you can rely on a Symbian Signed app not to be malicious) but ultimately most of the software that people download to their phones will not be signed and so fairly shortly we'll all need to pick up one of the Symbian anti-virus applications that are now available through sites like Handango.

Kind regards,
Aaron Davidson.
<a class="jive-link-external" href="http://www.simworks.biz" target="_newWindow">http://www.simworks.biz</a>
Posted by aldsimworks (5 comments )
Link Flag
matter of time
<a class="jive-link-external" href="http://www.analogstereo.com/chrysler_lebaron_owners_manual.htm" target="_newWindow">http://www.analogstereo.com/chrysler_lebaron_owners_manual.htm</a>
Posted by Ubber geek (325 comments )
Link Flag
Camtimer.b now discovered
Symbian virus writers have now decided to have another go at this. SimWorks has identified a new variant of the Camtimer/Cabir combo originally included in Skulls b, this time seperate from the Skulls trojan.

The Cabir worm found in Skulls.b was packaged with an application called Camtimer, a piece of free Nokia software. The Camtimer/Cabir.b worm combo (Camtimer.a) packaged with Skulls.b was not pack correctly and the Cabir virus would not auto-start.

This new variant, Camtimer.b has been packaged correctly and so in this version Cabir will auto-start.

The installation file for Camtimer.b is called CAMTIMER.sis and Series 60 phone users should exercise caution if downloading this from untrusted sites and consider purchasing anti-virus software for their phones from reputable sites such as Handango.

Best regards,
Aaron Davidson.
<a class="jive-link-external" href="http://www.simworks.biz" target="_newWindow">http://www.simworks.biz</a>
Posted by aldsimworks (5 comments )
Reply Link Flag
Camtimer.b now discovered
Symbian virus writers have now decided to have another go at this. SimWorks has identified a new variant of the Camtimer/Cabir combo originally included in Skulls b, this time seperate from the Skulls trojan.

The Cabir worm found in Skulls.b was packaged with an application called Camtimer, a piece of free Nokia software. The Camtimer/Cabir.b worm combo (Camtimer.a) packaged with Skulls.b was not pack correctly and the Cabir virus would not auto-start.

This new variant, Camtimer.b has been packaged correctly and so in this version Cabir will auto-start.

The installation file for Camtimer.b is called CAMTIMER.sis and Series 60 phone users should exercise caution if downloading this from untrusted sites and consider purchasing anti-virus software for their phones from reputable sites such as Handango.

Best regards,
Aaron Davidson.
<a class="jive-link-external" href="http://www.simworks.biz" target="_newWindow">http://www.simworks.biz</a>
Posted by aldsimworks (5 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.