Five stories about Cabir, the first virus for smartphones
Yesterday was 10 years since the discovery of the first malware for smartphones. At present, the Cabir worm looks harmless: it does not steal money from the account, it does not steal passwords, it does not delete user data. Is that puts the battery for indecent by the standards of 2004, but it is quite acceptable in 2014 2-3 hours.
Today we will tell you how we found this virus, why we called it exactly what happened next, and how the whole story ended. However, the end of the story came only for individual characters - for example, for the Symbian platform. For everyone else - in the sense, for smartphone makers, users, and, alas, cybercriminals, everything is just beginning.
The story is zero. Actually, the whole history of the discovery of Cabir, told by the main antivirus expert at Kaspersky Lab, Alexander Gostev, in this video :
')
The first story. Everything happens at the end of the day.
I think most readers of Habr know this. Servers are in the habit of falling, bugs in software are activated, and new viruses are detected at exactly half past six. As a rule - on Friday. In June 2004, everything did not happen on Friday, but - just at the end of the shift, the team of virus analysts. On the next shift a recent “viral” e-mail file was sent with a comment “something strange”.
Later it turned out that the mysterious file was sent to many anti-virus vendors, but most seemed satisfied that it was not an executable file for Windows and it does not pose a threat to ordinary PCs. Roman Kuzmenko, who replaced him, rather quickly found out that this is a program for the ARM architecture and for the Symbian Series 60 platform, which at that time was only two years old.
File analysis continued, and in the meantime, a full-scale search operation was launched in the “Laboratory”. They were looking for Symbian phones, and since the smartphones were still new, and they were expensive (the first Nokia 7650 smartphone cost about 600 euros), this phone didn’t show up right away.
While searching for phones (the legend says that even messengers were sent to the nearest radio market), it became clear that you cannot do with a single smartphone, you need two: to confirm in practice the fact of self-propagation of the worm via Bluetooth. Here we must pay tribute to Roman: he conducted the analysis of a completely new program on an unfamiliar platform fairly quickly, and predicted key features of the virus even before launching on real devices. Six months earlier, when summing up the results of 2003, Alexander Gostev predicted that mobile viruses would appear very soon. Actually, that's how it happened.
The second story. Why did Cabir be called Cabir?
In fact, almost all malicious programs are somehow or other named by their anonymous (often) author. In the case of Cabir, the name could simply be taken from the file name: caribe.sis. But by tacit agreement, they never do that. Well, firstly, the same virus can spread under different names (at the same time it is necessary to observe the classification). Secondly, virus writers should not be encouraged by distributing their own names: some public figures are breeding contagion just to get their five minutes of fame using anti-virus vendors.
Moreover, in most cases, the final name still has something in common with the creative impulses of virus writers. It happened in the case of Cabir, but the matter was not limited to a simple transposition of letters. In the midst of disputes about the name of the first smartphone worm, an employee of the company, Elena Kabirova, came to the Virlab. Evgeny Kaspersky, noticing her, immediately offered to name the malicious program in her honor, to which Elena favorably answered with consent (but first clarified that the event is really important, it does not happen every day).
The third story. Iron room and a collection of devices.
So, the first worm for smartphones was successfully found. The world has learned that not all files sent to the phone are equally useful, and that viruses can now be sent not only via the Internet and flash drives, but also, almost like a flu, by airborne droplets . Despite the fact that Cabir was transmitted only via Bluetooth, and could infect another smartphone only within a radius of 10 meters, there are a couple of epidemics on his account. Most often this happened in crowded places, for example, in August 2005, a wave of infections passed through the stadium in Helsinki during the World Athletics Championship.
But what to say, even in the Moscow metro, you could get a message with a malicious attache. The relative "popularity" of Cabir was also promoted by the publication of source codes by the creators - a group known in narrow circles under the code name 29A. Due to this in our database there are as many as 18 modifications of the worm created by followers. They practically do not differ from each other, except that Cabir.k, which appeared in April 2005, used to distribute MMS messages (remember these?), Causing a real loss to the owner of an infected smartphone.
So where does the iron room? The study of Cabir modifications, as well as similar malware, led to local incidents in the “Laboratory”. Imagine: a virus analyst launches the next version of the worm on a test smartphone, and on the floor below, the developers of the mobile antivirus suddenly receive an invitation to accept the file. There was a need for an isolated area for experiments. As a result, a room appeared in Kaspersky Lab in which the cellular network and WiFi were not caught, and where it was possible torest in silence to experience a new virus without risking infecting colleagues' phones.
Thanks to Cabir, we have a constantly growing collection of mobile devices. One of the first was the Nokia 3650 smartphone:
That one! The truth is already inanimate. In addition to the dubious privilege of the second in the history of the Nokia smartphone, this phone is also remembered by an incredibly inconvenient keyboard.
And Nokia N-Gage:
With a more modern version of the software, the phone still clarifies - are you saying, sure that you want to install it is not clear what? However, many later Trojans for smartphones and conventional mobile phones survived at the expense of users who answer yes to any such question. The advantage of this phone was the opportunity to play good mobile games for that time. Minus - the need to put the phone to your ear butt during a conversation, likening yourself to Cheburashka-Van-Gogh.
Fourth story. Not a single bluetooth.
Although the method of distribution via Bluetooth was original, it did not last long. First, there were smartphone viruses that spread themselves in the address book via MMS, then there was a long-term epidemic of SMS sending to paid numbers (and this already brought income to the cybercriminal), and then all the malicious activity finally went to the Internet - so faster, more reliable, and the radius of nothing is not limited. The very “iron room” for a relatively short time was a favorite place for our experts to meditate: they didn’t transport it to the new office, there was no point.
True, there was one exception. This Flame is the most sophisticated cyber espionage tool we discovered in 2012. The module that uses Bluetooth, it is not the main, but the possibilities are interesting. First, it collects information about available devices (in the same way you can find out the model of a smart TV and laptop / smartphone in a neighbor’s apartment). Secondly, Flame can turn a Bluetooth module into a kind of beacon, signaling to someone who is aware of the presence of a nearby infected computer.
The fifth story. The rise and fall of Symbian-malware and the onset of a bright (?!) Future.
Over the entire history of observations, Kaspersky Lab has recorded 621 modifications of malware for Symbian. That is, if we take malware that differs from each other in terms of functionality, and not just the name and icon. And this is, in fact, a bit. Until about mid-2008, almost all new products by cybercriminals (and various virus writer enthusiasts) threatened only owners of Symbian smartphones. Then the situation changed. First, Nokia, as the main manufacturer of devices on this platform, has begun to take action. There were, for example, digital signatures for programs (many remember how much headache they brought to users). Secondly, it suddenly turned out that it was much more profitable to write viruses for platform-independent Java ME. Potential victims of Java malware turned out to be many more people - owners of regular phones. But smartphones were also exposed - at least those that supported Java. Double punch!
In August 2010, an entry for the first Android malware appears in our database. Actually, this is now the main goal of cybercriminals: we have information about more than 370 thousand modifications of malicious programs for this platform. Compare with a measly hundreds on Symbian.
The latest Symbian phone was released in 2012. The platform, fortunately, or unfortunately, is dead. If Cabir was the first malware for Nokia smartphones, then who will be the last? They appear occasionally and now. The last more or less unique malware was detected on May 6, 2014 — it was a rather common Trojan that sends SMS to premium numbers and hides response messages from the user. Between the discovery of the last and the penultimate , by the way, about 8 months passed.
However, for mobile devices, everything is just beginning. Despite the fact that in the first couple of years since the discovery of Cabir, the number of new viruses was relatively small, they rapidly improved. In two years, the same stages of development (from the simplest viruses to the most complex) were completed, which took about 20 years on personal computers. For 10 years, mobile malware “learned” to steal money from a user's account and passwords, hack online banking and steal SMS from one-time passwords, finally (recently) - encrypt user data and extort money . What will happen next - we'll see. But already now, 10 years later, it is noticeable how harmless the “firstborn” was. Created by altruistic virus writers for the love of art, it only encroaches on the battery of a smartphone, but not on the owner's money. A funny creation from the era before last - when smartphones were different and with real,warm and lamp buttons.
Did you come across Cabir?
Today we will tell you how we found this virus, why we called it exactly what happened next, and how the whole story ended. However, the end of the story came only for individual characters - for example, for the Symbian platform. For everyone else - in the sense, for smartphone makers, users, and, alas, cybercriminals, everything is just beginning.
The story is zero. Actually, the whole history of the discovery of Cabir, told by the main antivirus expert at Kaspersky Lab, Alexander Gostev, in this video :
')
The first story. Everything happens at the end of the day.
I think most readers of Habr know this. Servers are in the habit of falling, bugs in software are activated, and new viruses are detected at exactly half past six. As a rule - on Friday. In June 2004, everything did not happen on Friday, but - just at the end of the shift, the team of virus analysts. On the next shift a recent “viral” e-mail file was sent with a comment “something strange”.Later it turned out that the mysterious file was sent to many anti-virus vendors, but most seemed satisfied that it was not an executable file for Windows and it does not pose a threat to ordinary PCs. Roman Kuzmenko, who replaced him, rather quickly found out that this is a program for the ARM architecture and for the Symbian Series 60 platform, which at that time was only two years old.
File analysis continued, and in the meantime, a full-scale search operation was launched in the “Laboratory”. They were looking for Symbian phones, and since the smartphones were still new, and they were expensive (the first Nokia 7650 smartphone cost about 600 euros), this phone didn’t show up right away.
While searching for phones (the legend says that even messengers were sent to the nearest radio market), it became clear that you cannot do with a single smartphone, you need two: to confirm in practice the fact of self-propagation of the worm via Bluetooth. Here we must pay tribute to Roman: he conducted the analysis of a completely new program on an unfamiliar platform fairly quickly, and predicted key features of the virus even before launching on real devices. Six months earlier, when summing up the results of 2003, Alexander Gostev predicted that mobile viruses would appear very soon. Actually, that's how it happened.
The second story. Why did Cabir be called Cabir?
In fact, almost all malicious programs are somehow or other named by their anonymous (often) author. In the case of Cabir, the name could simply be taken from the file name: caribe.sis. But by tacit agreement, they never do that. Well, firstly, the same virus can spread under different names (at the same time it is necessary to observe the classification). Secondly, virus writers should not be encouraged by distributing their own names: some public figures are breeding contagion just to get their five minutes of fame using anti-virus vendors.Moreover, in most cases, the final name still has something in common with the creative impulses of virus writers. It happened in the case of Cabir, but the matter was not limited to a simple transposition of letters. In the midst of disputes about the name of the first smartphone worm, an employee of the company, Elena Kabirova, came to the Virlab. Evgeny Kaspersky, noticing her, immediately offered to name the malicious program in her honor, to which Elena favorably answered with consent (but first clarified that the event is really important, it does not happen every day).
The third story. Iron room and a collection of devices.
So, the first worm for smartphones was successfully found. The world has learned that not all files sent to the phone are equally useful, and that viruses can now be sent not only via the Internet and flash drives, but also, almost like a flu, by airborne But what to say, even in the Moscow metro, you could get a message with a malicious attache. The relative "popularity" of Cabir was also promoted by the publication of source codes by the creators - a group known in narrow circles under the code name 29A. Due to this in our database there are as many as 18 modifications of the worm created by followers. They practically do not differ from each other, except that Cabir.k, which appeared in April 2005, used to distribute MMS messages (remember these?), Causing a real loss to the owner of an infected smartphone.
So where does the iron room? The study of Cabir modifications, as well as similar malware, led to local incidents in the “Laboratory”. Imagine: a virus analyst launches the next version of the worm on a test smartphone, and on the floor below, the developers of the mobile antivirus suddenly receive an invitation to accept the file. There was a need for an isolated area for experiments. As a result, a room appeared in Kaspersky Lab in which the cellular network and WiFi were not caught, and where it was possible to
Thanks to Cabir, we have a constantly growing collection of mobile devices. One of the first was the Nokia 3650 smartphone:
That one! The truth is already inanimate. In addition to the dubious privilege of the second in the history of the Nokia smartphone, this phone is also remembered by an incredibly inconvenient keyboard.
And Nokia N-Gage:
With a more modern version of the software, the phone still clarifies - are you saying, sure that you want to install it is not clear what? However, many later Trojans for smartphones and conventional mobile phones survived at the expense of users who answer yes to any such question. The advantage of this phone was the opportunity to play good mobile games for that time. Minus - the need to put the phone to your ear butt during a conversation, likening yourself to Cheburashka-Van-Gogh.
Fourth story. Not a single bluetooth.
Although the method of distribution via Bluetooth was original, it did not last long. First, there were smartphone viruses that spread themselves in the address book via MMS, then there was a long-term epidemic of SMS sending to paid numbers (and this already brought income to the cybercriminal), and then all the malicious activity finally went to the Internet - so faster, more reliable, and the radius of nothing is not limited. The very “iron room” for a relatively short time was a favorite place for our experts to meditate: they didn’t transport it to the new office, there was no point.
True, there was one exception. This Flame is the most sophisticated cyber espionage tool we discovered in 2012. The module that uses Bluetooth, it is not the main, but the possibilities are interesting. First, it collects information about available devices (in the same way you can find out the model of a smart TV and laptop / smartphone in a neighbor’s apartment). Secondly, Flame can turn a Bluetooth module into a kind of beacon, signaling to someone who is aware of the presence of a nearby infected computer.
The fifth story. The rise and fall of Symbian-malware and the onset of a bright (?!) Future.
Over the entire history of observations, Kaspersky Lab has recorded 621 modifications of malware for Symbian. That is, if we take malware that differs from each other in terms of functionality, and not just the name and icon. And this is, in fact, a bit. Until about mid-2008, almost all new products by cybercriminals (and various virus writer enthusiasts) threatened only owners of Symbian smartphones. Then the situation changed. First, Nokia, as the main manufacturer of devices on this platform, has begun to take action. There were, for example, digital signatures for programs (many remember how much headache they brought to users). Secondly, it suddenly turned out that it was much more profitable to write viruses for platform-independent Java ME. Potential victims of Java malware turned out to be many more people - owners of regular phones. But smartphones were also exposed - at least those that supported Java. Double punch!
In August 2010, an entry for the first Android malware appears in our database. Actually, this is now the main goal of cybercriminals: we have information about more than 370 thousand modifications of malicious programs for this platform. Compare with a measly hundreds on Symbian.
The latest Symbian phone was released in 2012. The platform, fortunately, or unfortunately, is dead. If Cabir was the first malware for Nokia smartphones, then who will be the last? They appear occasionally and now. The last more or less unique malware was detected on May 6, 2014 — it was a rather common Trojan that sends SMS to premium numbers and hides response messages from the user. Between the discovery of the last and the penultimate , by the way, about 8 months passed.
However, for mobile devices, everything is just beginning. Despite the fact that in the first couple of years since the discovery of Cabir, the number of new viruses was relatively small, they rapidly improved. In two years, the same stages of development (from the simplest viruses to the most complex) were completed, which took about 20 years on personal computers. For 10 years, mobile malware “learned” to steal money from a user's account and passwords, hack online banking and steal SMS from one-time passwords, finally (recently) - encrypt user data and extort money . What will happen next - we'll see. But already now, 10 years later, it is noticeable how harmless the “firstborn” was. Created by altruistic virus writers for the love of art, it only encroaches on the battery of a smartphone, but not on the owner's money. A funny creation from the era before last - when smartphones were different and with real,
Did you come across Cabir?
Source: https://habr.com/ru/post/226397/
All Articles