Report on mobile phone virus and worm
MOBILE CELL PHONE VIRUS AND WORM A Seminar Report Submitted by:
SANGAY GYELSTHEN ECE2009078
Electronics and Communication Engineering College of Science and Technology Rinchending :: Phuentsholing May 2012
Report on mobile phone virus and worm
ABSTRACT This is the project report for “Mobile cell phone Worms and Viruses”. We begin with examining what Mobile Worms and Viruses are, and the differences between these and their PC counterparts. This report refers to such malicious software for mobile devices as Mobile Malware. The mode of spreading of mobile malware and their effects has been enumerated. The risks and threats of this malware and the preventive measure for this malware are also elaborated. Case studies of three widespread and important mobile malware, Cabir, ComWar and Card Trap are presented. Mobile devices are attractive targets for several reasons. Mobile devices are attractive targets because they are well connected, often incorporating various means of wireless communications. They are typically capable of Internet access for Web browsing, e-mail, instant messaging, and applications similar to those on PCs. They may also communicate by cellular wireless LAN, short range Bluetooth, and short/multimedia messaging service (SMS/MMS). Malware is relatively unknown for mobile devices today. At this time, only a small number of families of malware have been seen for wireless devices, and malware is not a prominent threat in wireless networks. Because of the low threat risk, mobile cell phones devices have minimal security defenses. Another reason is the limited processing capacity of mobile devices. Whereas desktop PCs have fast processors and plug into virtually unlimited power, mobile devices have less computing power and limited battery power. In addition, mobile devices were never designed for security. For example, they lack an encrypting file system and so on. There is a risk that mobile users may have a false sense of security. Physically, mobile devices feel more personal because they are carried everywhere. i
ACKNOWLEDGEMENT I would like to offer my heartfelt gratitude to Royal university of Bhutan for offering such valuable opportunities in the college. Secondly i would like to acknowledge the college of science and technology and the lecturers for providing me this chance to carry the technical seminar on Mobile phone virus and worm which seem to be the concern of all the people of the world at this particular stage of technology. And also I wouldn’t forget to the appreciate the college management system for providing me with the basic necessaries like library facilities, access to internet etc... which is major factor in bringing my seminar to this stage. I am very thankful to your seminar co-ordinator, sir Tashi, lecturer in the department of electronics and communication for all this effort and hard work to help us to carry out seminar. I would like to thank Sir Sonam Norbu (IIR) for accepting my proposal and giving this valuable support and feedback without whom my seminar would not have reached to this stage. Finally I would like to thank all my friends for their tremendous support offered to me which really helped me to carry out my seminar successfully.
TABLE OF CONTENTS
Abstract ....................................................................................................................................... i ACKNOWLEDGEMENT.......................................................................................................... ii Table of Contents ...................................................................................................................... iii List of Abbreviations ................................................................................................................. vi Introduction ....................................................................................................................................... 1 1.
DEFINATION OF VARIOUS TERMS. ................................................................................. 2 1.1
VIRUS .................................................................................................................................. 2
1.2
WORMS ............................................................................................................................... 2
1.3
TROJAN HORSES............................................................................................................... 2
1.4
MOBILE PHONE VIRUS .................................................................................................... 3
2.
MOTIVATION FOR CREATING VIRUS ............................................................................ 3
3.
CHARACTERISTIC OF VIRUS: ........................................................................................... 3
4.
CATEGORIES OF WORM ..................................................................................................... 4
5.
VIRUS/WORM TYPES OVERVIEW .................................................................................... 5
6.
A SURVEY OF CURRENT MOBILE MALWARE ............................................................. 5 6.1
CLASSIFICATION .............................................................................................................. 5
7.
ATTACK VECTORS FOR MOBILE MAWARE................................................................. 6
8.
HARM CAUSES BY MOBILE MALWARE: ....................................................................... 8
9.
PROTECTION AND PREVENTION MECHANISMS ........................................................ 8
9.1
COMMON PROTECTION AGAINST MOBILE MALWARE ......................................... 8
10.
MOSES .............................................................................................................................. 10
11.
NETWORK PROACTIVE APPROACH ...................................................................... 10
12.
CASE STUDY ................................................................................................................... 11
12.1
CABIR ............................................................................................................................ 11
12.2
COMWAR ...................................................................................................................... 12
12.3
CARDTRAP ................................................................................................................... 12
13.
DIFFERENCES BETWEEN MOBILE VIRUS AND PC VIRUS............................... 13
14.
CONCLUSION ................................................................................................................. 14
15.
REFERENCES ................................................................................................................. 15
LIST OF FIGURES Figure 7.1: Showing Attack vector ............................................................................................. 6 Figure 7.2: Attack Vector through Bluetooth ............................................................................. 7 Figure 10.1: Case study for mobile malware. ........................................................................... 11 Figure 10.2.1: Comwar through Bluetooth ............................................................................... 12
v
LIST OF ABBREVIATIONS Sl. No. 1 2 3 4 5 6 7 8 9 10 11 12 13
Terms
Descriptions
PC PDA WiFi SMS MMS SMTP IDS SMB CIFS TCP/IP WiFi SOS MOSES
Personal computer Personal digital assistant Wireless fidelity Short message service Multimedia message service Simple mail transfer protocol Intrusion detection system Server Message Block Common Internet File System Transmission control protocol/internetworking protocol Wireless fidelity Symbian Operating System Mobile security processing system
vi
Report on mobile phone virus and worm
Introduction All of us are familiar with cell phones. The used of cell phones to access internet and the share executable files have increased. With the number of functionalities, the amount of personal data at risk is high. With the growth of smart phone, mobile phones with internet connectivity that work like a handled computer, phone users have also seen the advent of the mobile phone virus. If not handled properly, it may prove to be fatal to our privacy. It is not just PCs that are vulnerable to virus attacks these days-now. We also have to protect your phone from phone virus and PDA (Personal Digital Assistants) too. Advanced mobile phones run the same kind of applications as desktop and laptop computers, and they have multiple wireless connections so they too get infected by mobile phone virus and spread cell phone virus. There are currently about 100 mobile viruses that can disable a phone or create bills of hundreds of dollars by sending pricey picture messages. The first mobile virus spreading "in the wild" emerged less than two years ago. While this is still a tiny number compared with personal computer viruses, the threat is expected to increase. The basic organization of the paper is as follows. In this section the definitions of computer virus, worms, mobile virus, as well as some other preventive measures and also basic characteristics of a virus. And also will be highlighting about the types overview of the virus/worm and Categories of worm where the different forms of worm is explained in broad sense. Some of the case studies of mobile virus like caribe, comwar and cardtrape are also explained.
1
1. DEFINATION OF VARIOUS TERMS. 1.1
VIRUS
It is a self-replicating program. Some definitions also add the constraint saying that it has to attach itself to a host program to be able to replicate. Often Viruses require a host, and their goal is to infect other files so that the virus can live longer. Some viruses perform destructive actions although this is not necessarily the case. Many viruses attempt to hide from being discovered. A virus might rapidly infect every file on individual computer or slowly infect the documents on the computer, but it does not intentionally try to spread itself from that computer (infected computer) to other. In most cases, that’s where humans come in. We send e-mail document attachments, trade programs on diskettes, or copy files to file servers. When the next unsuspecting user receives the infected file or disk, they spread the virus to their computers, and so on.
1.2
WORMS
Worms are insidious because they rely less (or not at all) upon human behavior in order to spread themselves from one computer to others. The computer worm is a program that is designed to copy itself from one computer to another, leveraging some network medium: e-mail, TCP/IP, etc. The worm is more interested in infecting as many machines as possible on the network, and less interested in spreading many copies of itself on a single computer (like a computer virus). The prototypical worm infects (or causes its code to run on) target system only once; after the initial infection, the worm attempts to spread to other machines on the network.
1.3
TROJAN HORSES
A Trojan horse is a one which pretend to be useful programs but do some unwanted action. Most Trojans activate when they are run and sometimes destroy the structure of the current drive (FATs, directories, etc.) obliterating themselves in the process. This does not require a host and does not replicate. A special type is the backdoor Trojan, which does not do anything overtly destructive, but sets your computer open for remote control and unauthorized access [1].
2
1.4
MOBILE PHONE VIRUS
A mobile virus is an electronic virus that targets mobile phones or wireless-enabled PDAs. As wireless phone and PDA networks become more numerous and more complex, it has become more difficult to secure them against electronic attacks in the form of viruses or other malicious software (also known as malware).Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. A mobile phone virus is a computer virus specifically adapted for the cellular environment and designed to spread from one vulnerable phone to another. Although mobile phone virus hoaxes have been around for years, the so-called Cabir virus is the first verified example.
2. MOTIVATION FOR CREATING VIRUS Viruses are written in varieties of reason: •
Curiosity
•
Challenge
•
To gain wider attention
•
Some new antivirus companies want to enter new market [2].
3. CHARACTERISTIC OF VIRUS: The following are some of the characteristics of Viruses: i.
Size - The sizes of the program code required for computer viruses are very small.
ii.
Versatility - Computer viruses have appeared with the ability to generically attack a wide variety of applications.
iii.
Propagation - Once a computer virus has infected a program, while this program is running, the virus is able to spread to other programs and files accessible to the computer system.
iv.
Effectiveness - Many of the computer viruses have far-reaching and catastrophic effects on their victims, including total loss of data, programs, and even the operating systems.
v.
Functionality - A wide variety of functions has been demonstrated in virus programs. Some virus programs merely spread themselves to applications without attacking data files, program functions, 3
or operating system activities. Other viruses are programmed to damage or delete files, and even to destroy systems. vi.
Persistence - In many cases, especially networked operations, eradication of viruses has been complicated ability of virus program to repeatedly spread and reoccur through the networked system from a single copy [1].
4. CATEGORIES OF WORM Worms are broadly categorized into three types. They are: i.
E-mail (and other application) worms – These worms when executed on a local system, take advantage of the user’s e-mail capabilities to send themselves to others. The first e-mail worm was found in 1987, with the Christmas tree trojan horse. At the early stages these were using local mail programs and on a compromised machine to send out copies of themselves to one or more addresses. Later e-mail worms contained their own SMTP engines so that they were not (as) dependent on the mail capabilities of the compromised machine. Soon after they started using spoof mail headers.
ii.
Windows file sharing worms – These take the advantage of the Microsoft Windows peer-to-peer service that is enabled whenever Windows determines networking hardware is present in a system. It uses Server Message Block (SMB) protocol and sometimes the Common Internet File System (CIFS), which was originally designed for trusted workgroups. File sharing worms are rarely seen in isolation as they are usually created along with other attacks also as well configure firewall can stop the file sharing outside of the organization. These are growing recently over the past two years.
iii.
Traditional worms – These do not require user intervention. These often use direct connections over TCP-IP based protocols to exploit vulnerabilities in operating systems and applications. Most of the traditional worms have exploited Unix-based operating systems such as Linux. Recently only these are affecting Microsoft operating systems. These exploit the vulnerabilities to propagate, and the time between the time of announcement of vulnerability and its exploitation by a worm has been shrinking [1].
4
5. VIRUS/WORM TYPES OVERVIEW These are the main categories of Viruses and worms: i.
Binary File Virus and Worm – File virus infect executables (program files). They are able to infect over networks. Normally these are written in machine code. File worms, are also written in machine code, instead of infecting other files, worms focus on spreading to other machines.
ii.
Binary Stream Worms – Stream worms are a group of network spreading worms that never manifest as files. Instead, they will travel from computer to computer as just pieces of code that exist only in memory.
iii.
Script File Virus and Worm – A script virus is technically a file virus, but script viruses are written as human readable text. Since computers cannot understand text instructions directly, the text first has to be translated from text to machine code. This process is called “Interpretation”, and is performed by separate programs on computer.
iv.
Macro Virus – Macro Viruses infect data files, or files that are normally perceived as data files, like documents and spreadsheets. Just about anything that we can do with ordinary programs on a computer we can do with macro instructions. Macro viruses are more common now-a-days. These can infect over the network.
v.
Boot Virus – The first known successful computer viruses were boot sector viruses. Today these are rarely used. These infect boot sectors of hard drives and floppy disks and are not dependent on the actual operating system installed. These are not able to infect over networks. These take the boot process of personal computers. Because most computers don’t contain Operating System in their Read Only Memory (ROM), they need to load the system from somewhere else, such as from a disk or from the network (via a network adapter).
vi.
Multipartite Viruses – Multipartite Virus infect both executable files and boot sectors, or executable and data files. These are not able to infect over the networks [1].
6. A SURVEY OF CURRENT MOBILE MALWARE 6.1
CLASSIFICATION
As with any entity with multiple types, taxonomy based classification is necessary to properly identify the various individuals to respective classes. According to the following was seen to be the
5
best mode of classifying mobile malware. The classification system is structured on the following three characteristics: • Behavior: Mobile malware can be classified depending upon the way the malware behaves. For example, whether it propagates like a virus or a worm, or whether it opens backdoors for attackers, like a Trojan.
• Environment: Another characteristic in the classification is the type of operating system that the mobile malware has been designed to infect and spread to. This also includes vulnerable applications that the malware might exploit.
• The family name and variant: Some malware are variants of existing ones. This classification characteristic identifies if the mobile malware is a completely new entity or has been built based on some other previously existing one [4].
7. ATTACK VECTORS FOR MOBILE MAWARE
Figure 7.1: Showing Attack vector 6
Current known mobile malware use the following attack vectors:
Bluetooth: Many mobile devices have the capability to communicate with other devices in a short range using the Bluetooth technology. Some mobile malware exploit these to spread. Others disguise themselves as legitimate applications (Trojans) and try to spread to other devices that are within its Bluetooth communication range. These latter types of malware prompt the user to install the application and when the user does install them, these malware cause harm to the mobile. The first known mobile malware, Cabir spread through Bluetooth. Malware that spread through Bluetooth can only communicate within the range of communication of Bluetooth devices (typically a few meters). However, such malware can still rapidly spread across many devices if there is dense collection of Bluetooth-enabled devices. Such an attack has been reported previously at the World Athletics championship in Helsinki in 2005. A large number of people that were in the stadium had their devices infected with Cabir very rapidly.
Figure 7.2: Attack Vector through Bluetooth
SMS, MMS, WiFi: Some mobile malware spread themselves through SMS, MMS or WiFi technology. Most of these send SMS or MMS to other phones and attach themselves to the message that they send. ComWar, for example, spreads through MMS. Malware that spread through SMS or 7
MMS can spread across larger areas simply because the only restriction to spreading across the continents is the amount of balance left in the user’s mobile phone account. Some worms that spread exploiting vulnerabilities in WiFi could also infect mobile devices that are WiFi capable.
Vulnerabilities in the operating system: Vulnerabilities exist in the operating systems used by mobile devices. SOS, included as the operating system in most Nokia mobile phones, has several vulnerabilities. This causes the mobile to work slowly or even crash. Microsoft Windows Mobile 2003 is the other popular operating system used on mobile devices. This latter operating system also suffers from vulnerabilities. At this point, it is worth mentioning that there are also several phones (some by Motorola and Samsung) that use Linux or its variant as the operating system [3].
8. HARM CAUSES BY MOBILE MALWARE: Current mobile malware are capable of causing the following harm to the infected devices or its user: •
Causing financial loss to the user – Initiate unnecessary calls, send SMS or MMS – Send private information (such as contacts or address book information) to a predefined phone
•
Spread via Bluetooth, causing drainage of battery
•
Cause the devices to work slowly or to crash
•
Infect files (attach its code to the application sis files)
•
Modify or replace icons or system applications
•
Wipe out information (such as address books) on the infected devices
•
Install bogus applications on the device
•
Allow remote control of the device [3].
9. PROTECTION AND PREVENTION MECHANISMS 9.1
COMMON PROTECTION AGAINST MOBILE MALWARE
Keeping the device in non-discoverable Bluetooth mode: 8
Since leaving a Bluetooth-enabled mobile device in discoverable mode makes it vulnerable to attacks by mobile malware and hackers that exploit the documented vulnerabilities in Bluetooth, it is best to turn off the Bluetooth discovery mode on the mobile device.
Installing an anti-virus / IDS on the mobile device: Vendors such as Trend Micro sell anti-virus software and Intrusion Detection Systems (IDS) for mobile devices. Installing these can protect the mobile devices from known malware.
Installing firmware updates when they are made available: Mobile device manufacturers release updates to the firmware of the devices. These may contain patches to the vulnerabilities that are exploited by mobile malware. Upgrading to new firmware may reduce the threat of being infected by mobile malware.
Exercising caution when installing applications from untrusted sources: As in the case of PC viruses, it is best not to install applications or to download other software from untrusted sources.
Filtering out malware at service provider: MMS messages that carry malicious payload can be detected at the service provider based on their signatures and thus can be filtered out at the service provider itself. The possibilities of attacking mobile devices can only be limited by what the technology permits and hence very strong measure need to be taken for protection against such attacks. The protection mechanisms can be broadly classified on the basis of the requirements of the protection systems.
They are:
System Level Security - MOSES Architecture System level security aims to make the system more secure by restricting the execution of unauthorized applications.
Network Level Security - Proactive Approach Network level security aims to provide a basis of filtering out malware transitioning over the network between various devices.
9
10.MOSES MOSES stands for Mobile Security processing System and was developed by Anand Raghunathan and his team working at NEC labs. The aim of designing MOSES was to overcome the following challenges. • Performance gap between the security processing requirements and the system processing capabilities • Limited battery life in mobile devices. • Eliminating the possibilities of various types of attacks launched against the implementation. As per the MOSES methodology, a separate device from the main processor relates to a huge jump in security. The idea is that if the security implementation is performed on a device separate from the main processor, then if the main processor gets hacked into, the hacker won’t have access to stored passwords and encryption keys that would be necessary for them to gain access to further information [4].
11.NETWORK PROACTIVE APPROACH The crucial protection measure performed in insecure environment is the search and destroys methodology which is better known as the reactive approach. According to this principle, we build a database of all the known virus signatures and then analyze the network traffic for their existence. This approach works when the network penetration is large but the network speed is slow. As a result by the time the virus reaches critical mass and begins to cause chaos, the scanners are already ready to pick it up. But today’s due to high speed networks, malware reach critical mass within a few hours. As a result reactive approach fails miserably. In light of such context, we discuss a proactive approach that is better suited for solving this problem [4].
10
12.CASE STUDY In this section, we look at the case studies of some of the important and wide spread mobile phone malware.
Figure 10.1: Case study for mobile malware.
12.1 CABIR Cabir is the first network worm capable of spreading through Bluetooth and was first detected in June 2004. It was a Proof-of-Concept code developed by the group 29A. The intention was to demonstrate how to exploit Bluetooth to spread worms. This worm infects mobile phones which run the Symbian OS. Any handset running the Symbian OS is potentially vulnerable to infection. Examples of such phones include the Nokia 3650 & 765. The worm itself is an SIS format file, called caribe.sis. Each time the infected phone is switched on, the worm scans the list of active Bluetooth connections. The worm selects the first active connection detected and attempts to send its main file, caribe.sis, to this device. If receipt of the infected file is confirmed, the users will be asked if they wish to launch the file. This worm does not cause any real harm since the intention was to only demonstrate how Bluetooth could be used for spreading. However, since the worm keeps scanning for active Bluetooth devices, it drains the battery of the phone rapidly. Since Cabir is well documented and code is available freely, other malicious users used it for developing malicious code to cause real damage. 11
12.2 COMWAR Comwar is the second landmark in mobile malware. This is the first worm for mobiles phones which is able to propagate via MMS and could potentially go global in just minutes. It also spreads over Bluetooth. The executable worm file is packed into a Symbian archive (*.SIS). The archive is approximately 27 - 30KB in size. The name of the file varies: when propagating via Bluetooth, the worm creates a random file name, which is 8 characters long, e.g. bg82o s1.sis once launched, the worm searches for accessible Bluetooth devices and sends the infected .SIS archive under a random name to these devices. When the recipient user confirms that the file is to be accepted, it will infect the phone. [4] The worm also sends itself via MMS to all contacts in the address book. The subject and text of the messages varies. Since it sends MMS to all the contacts in address book it is not as a proof of concept and the intention to make the device functionless but instead it is to cause financial
harm by charging the mobile user. Scanning active Bluetooth devices also lead to drains away the battery.
Figure 10.2.2: Comwar through Bluetooth
12.3 CARDTRAP Cardtrap is the first mobile virus found which is capable of infecting Windows PCs. The most significant characteristics of Cardtrap are that it also installs three Windows worms (Win32.Rays, Win32.Padobot.Z and Win32.Cydog.B) onto the device’s memory card. Once the card is inserted into the PC, Padobot.Z will attempt to start automatically on machines running Windows OS via the “autorun.ini” file. A recent virus called Crossover (2006) spreads from Windows desktop PCs to 12
mobile devices running on Windows Mobile Pocket PC. Once it is installed on a Windows PC, the virus makes a copy of itself and adds a registry entry pointing to the new file so that the payload is activated each time the machine is rebooted. It then waits for an application for synchronizing Pocket PC devices (mobile devices like cell phone) with the infected Windows desktop PC. When a connection is detected, it copies itself over to the Pocket PC device automatically, deletes all files in the documents directory, copies itself to the system directory and places a link to itself in the startup directory like in PC [7].
13.DIFFERENCES BETWEEN MOBILE VIRUS AND PC VIRUS There are a number of differences between the world of PC viruses and mobile viruses:
The PC virus world is much more mature in almost every respect, the anti-virus products have been around many years and the virus writing techniques for the pc platform are extraordinarily sophisticated.
the number of viruses released on the PC platform vastly outnumbers the number presently being released for mobile platforms;
the world has largely settled on a single main operating system for desktop computers unlike the mobile world where the battle for the hearts and minds is still being waged by Symbian, Microsoft, Palm and others;
PC’s have vastly greater resources than mobile phones and this impacts enormously on both the viruses that can be written for the mobile platforms and the anti-virus solutions that can be deployed to protect them.
Mobile devices have a much greater degree of connectivity than PC’s. PC’s typically only having an LAN or dial-up connection. Mobile devices on the other hand typically have SMS, MMS, GPRS, BT and serial/USB via cable/cradle. The large difference in the number of ways that mobile devices can communicate compared to PC’s has a lot of implications for the development of both viruses and anti-viruses [6].
13
14.CONCLUSION We should not accept files from unknown people without confirmation. We should not download unknown files from internet. Since the advent of the Internet, computer virus hoaxes have competed with computer viruses. The same is true of the mobile phone virus. There are real hoaxes, just as there are real viruses. One recent one had folks believing that calls from Pakistan to Afghanistan would transmit an actual physical virus that could cause users to become sick. Mainly, we simply need to be worried about the viruses that might make our mobile phone sick. Installing antivirus programs makes good sense, especially if we want to keep our smart phones healthy. Malware is a low risk threat for mobile devices today, but the situation is unlikely to stay that way for long. It is evident from this review that mobile phones are starting to attract the attention of malware writers, a trend that will only get worse. At this point, most defenses are common sense practices. The wireless industry realizes that the stakes are high. Two billion mobile users currently enjoy a malware-free experience, but negative experiences with new malware could have a disastrous effect. Fortunately, a range of host-based and network-based defenses have been developed Malicious Software in Mobile Devices from experience with PC malware. Activities are underway in the industry to improve protection of mobile devices before the malware problem becomes catastrophic.
14
15.REFERENCES [1]. H. Shravan, “Seminar Report on Study of Viruses and Worms,” 2005, [Online]. Available at: http://www.it.iitb.ac.in/~shravan/Seminar/report.pdf [2]. T.Chen, “Malicious Software in Mobile Devices,” 2006, [Online]. Available at: http://www.it.iitb.ac.in/~jeevan/courses/sem1/Mobile_Viruses_and_Worms_Presentation_[3].I6 [3]. Anon, “Malicious Software in Mobile Devices,” 1900s. [Online]. Available at: http://cosec.bit.unibonn.de/fileadmin/user_upload/teaching/10ws/10ws-sem-mobsec/talks/shekow.pdf53.pdf [4] A.Kumar, “Mobile Worms and Viruses,” 2006, [Online]. Available at: http://www.it.iitb.ac.in/~jeevan/courses/sem1/Mobile_Viruses_and_Worms_Report_IT653.pdf [5] A.Gostev, “MOBILE MALWARE EVOLUTION,”2012, [Online]. Available at: http://www.securelist.com/en/anaysis/200119916/mobile_malware_eveolution_an_overview_part_1?print_ mode=1 [6] M. A. Macovschi, “virus on mobile phone,” 1900s. [Online]. Available at: http://www.mobile-phone directory.org/Advice_centre/Submitted_articles/Virus_on_mobile_phone.html [7] Anon, “case study,” 2008. [online]. Available at: http://www.slideshare.net/guestc03f28/cell-phonevirus-security-presentation.
15
16