<<<
Monday, December 27, 2004
>>>
 
Evolution in Cabir variants Posted by Jarno @ 12:48 GMT

Cabir
We've found two new Cabir variants (Cabir.H and Cabir.I, respectively). As mentioned before, we've found several examples of phone malware over the last weeks, especially Cabir and Skulls variants, affecting Symbian Series 60 phones.

However, this time there are two important differences.

First of all, these new variants seem to be recompiled versions based on original Cabir source code. Which means that the Cabir source code is floating around in the underground. Which is bad news. We didn't know the sources were out there, and we've never seen them.

Second important difference is that these new Cabir variants fix a flaw that was slowing down original Cabir's spreading speed. Cabir originally would only spread to one new phone per reboot. Which explains why it so far has only managed to spread to eight countries (as far as we know), despite being in the wild for months already.

Cabir.H and Cabir.I can spread to an unlimited number of phones per reboot. As soon as a suitable target phone is seen, the worm sends itself there as a Bluetooth file transmission and keeps sending itself to that phone while it is still in range. Once the target phone leaves the area, Cabir.H will find a new target and continue spreading. This means that in conditions where people move around and new phones come in conctact with each other, the Cabir.H and Cabir.I can spread quite rapidly.

In addition of spreading, these new Cabirs don't do anything directly destructive or malicious. However, they do block all normal Bluetooth connectivity and they also drain the infected phones battery very fast.

We have no reports of Cabir.H and Cabir.I in the wild yet. However, this is probably only a matter of time, as the virus writer behind these variants has publicly posted them on his web page.

Both new Cabir variants are detected by F-Secure Mobile Anti-Virus

Symbian Series 60 worm / trojan history so far:

2004:
June 15th: Cabir.A is found
June 16th: Cabir.B is found
November 19th: Skulls.A trojan is found
November 29th: Skulls.B is found
December 9th: Cabir.C is found
December 9th: Cabir.D is found
December 9th: Cabir.E is found
December 21st: Skulls.C is found
December 21st: Cabir.F is found
December 21st: Cabir.G is found
December 26th: Cabir.H is found
December 26th: Cabir.I is found







<<< PHP worm outbreaks not out of control
|
The Tsunami Tragedy >>>