Jarno Niemelä is one of a select group of researchers who pit their wits against a small but growing number of malware authors creating one of the latest technological plagues - mobile phone viruses. Since June 2004 when the first Symbian-based malware came into being, he has witnessed the recorded number of mobile malware speed past the 100 mark.
The first definable wave of mobile malware programmes were detected on the Palm platform - notably three Trojans as early as 2000 with a handful of other so called joke programmes attacking the Epoc platform developed by the British company Psion. Since then, palmtop devices have now moved over to accommodate smartphones in terms of popularity and mobile malware develops in step with Symbian as it deepens its global footprint.
Niemelä, who has worked as a mobile malware researcher since he joined F-Secure in 2000 points out that despite the long four-year gap between the original Palm Trojans and the first Symbian worm, Cabir, he and F-Secure has not been idle:
"We kept tabs on the situation and developed our anti virus solution in step - we never lost the momentum and we have actively studied problems before the achieved any serious status, says Niemelä.
The first link in the new wave of mobile viruses occurred in June 2004 when the data security laboratory at F-Secure was contacted by a virus writer calling himself Vallez who sent a sample of his handiwork directly - the now infamous Cabir worm.
Niemelä states that the virus writer was boastful about his work - a common trait among his other 'colleagues' in the 29A virus-writing group who regularly post news and detailsof their creations in underground websites. It was only a matter of time before the virus emerged in the wild in the Philippines.
"I hold Vallez and his group responsible for the Cabir mess. They might not have actively spread the virus but it's analogous to creating a new bioweapon over creating a gun - a gun targets individually, viruses spread indiscriminately, Niemelä states.
Interestingly, unlike their counterparts in the PC world, the mobile virus writers up to now have not shown any interest or ability to make direct financial gains from their
Mobile malware creations satisfying themselves instead with the fame they enjoy among their select peer group. At present, Niemelä estimates there are approximately 40 mobile virus authors mostly located in South East Asia.
Hexidiots and headaches
This, Niemelä is convinced, will change as more mobile virus writers join the bandwagon. This has already been proven by other less experienced writers taking the Cabir binary executables (published by the 29A group) and creating new variants of the existing by modifying the file contents with hexeditor tools. These writers, known as hexedit idiots by anti-virus researchers, are able to continue the headaches originally created by their more skilled counterparts.
Apart from the binary based malware, notably the Cabir, Mabir and Commwarrior worms, there are the SIS file trojans - malware that are basically Symbian installation files that install files that break system functions by abusing features of Symbian OS. These SIS file trojans are typically created by malware authors exploring the Symbian OS, until he finds a way to break something and then creating SIS installation file that uses this technique. After the initial variant is created, other malware authors will then unpack the trojan, and combine it with other trojans to develop it further.
Niemelä points out that the good news about the Symbian platform is that it has learned many of the mistakes of the PC platform and has prevented many problems that could lead to exploitable vulnerabilities. The bad news however is that many of the problems found, don't have counterpart in PC world, and thus are new for the industry. And, as Niemelä points out, most anti-virus companies don't have the necessary background knowledge to understand how the SIS file trojans work.
The one thing common to mobile platform exploitation is the innovation factor - little by little something new always emerges to beat the existing rules. For example, Cabir, which originally was only able to target single phones, re-emerged as a variant able to target multiple devices. Commwarrior A and B which use Bluetooth transmission and MMS eventually evolved into Commwarrior C which emulated user behaviour to create messages with text and language selected from earlier messages - effectively a social engineering technique.
Niemelä is waiting for the next big thing to emerge from his chosen enemy. There has been talk of automatically spreading mobile worms but fortunately yet, no evidence of such. In the meantime, Niemelä and one colleague from FRISK Software have recently been reclassifying mobile viruses ascribing individual names to existing variants, which originally were considered to be too minor variants to get independent variant status and their own variant letter.
"There were some concerns about mobile virus threat being hyped and researchers have been careful not to assign new variant letters on too light a basis. Now, however, there will be a leap from the present number of 125 to something like 250. We have done this to reflect the new situation more accurately, says Niemelä who will be carefully monitoring developments as the mobile malware community starts to up the ante with new exploits and larger mobile malware volumes.
Author: Corporate Communicator Mark Woods
Begin | 
Back