Cell phones and Akamai under attack

This issue's topics: Introduction: * Cell phones and Akamai under attack; XP SP RC2 released Virus News: * First Bluetooth worm on Symbian OS phones * Polyglot mass-mailer on the loose... Security News: * Acronym alert - MS releases XP SP2 RC2 * Akamai of the killer zombies... * Gartner pegs cost to banks of spyware, phishing at US$2.4bn last year

This issue's topics:

Introduction:

* Cell phones and Akamai under attack; XP SP RC2 released

Virus News:

* First Bluetooth worm on Symbian OS phones

* Polyglot mass-mailer on the loose...

Security News:

* Acronym alert - MS releases XP SP2 RC2

* Akamai of the killer zombies...

* Gartner pegs cost to banks of spyware, phishing at US$2.4bn last year

Introduction:

Sorry - in a terrible rush today, so the intro will be peremptory at best (I always wanted to use that word!).

First cell phone virus, blah, blah... Multilingual virus spreading rapidly. MS releases next XP SP2 candidate, etc, etc - read all about these, and more, below...

Virus News:

* First Bluetooth worm on Symbian OS phones

Cell phone virus stories have come and gone over the years, but none have held any water. True, there have been 'rogue' SMS messages that cause some vulnerable phones to shutdown and there have been 'games' that effectively trick phone users tempted to play them into dialling some target phone number (emergency services or someone the perpetrator of such hoaxes wished to annoy), but nothing that really passes technical muster to count as a real virus.

In case you haven't already heard, that was the case at the end of last week, but is no longer so.

EPOC/Cabir (also known by some as Symbian/Cabir and by its writer as Caribe-VZ) is a simple proof of concept virus, designed to work on Symbian Operating System (Symbian OS) Series 60 devices - for example Nokia 3600, 3620 3650, 6600 and N-Gage have been carefully tested in isolation from other phones and found to work with Cabir. Cabir may also work with other Series 60 phones - a Symbian page listing current and near-future phones running Symbian OS is linked below to help readers identify possibly vulnerable phones.

Cabir is designed to activate the host device's Bluetooth interface, scan for other Bluetooth devices within range and send itself to the _first_ such device it finds. This scanning is repeated at regular intervals, so as the host moves in and out of range of potential victims, the virus may have a modest chance to spread. However, note that Bluetooth interfaces in cell phones have a very short range - in theory about ten metres, but this can be heavily attenuated by certain types of clothing, typical internal walls in offices and houses and so on.

Further, the potential recipient must accept the transmission of the Symbian SIS installation package Cabir offers over the Bluetooth connection, and then must accept installing it, given warnings by the phone's security system such as 'Application is untrusted and may have problems. Install only if you trust the provider' and 'Installation security warning. Unable to verify supplier. Continue anyway?'. If the recipient is gullible enough to still accept the package, it is installed and activated, and tries to install a boot hook so it will run as part of the start-up sequence during subsequent power cycles of the phone. Screen shot sequences of various phones used in the viability testing of Cabir are available in some of the antivirus vendor descriptions linked below. Disabling a phone's Bluetooth interface, or if Bluetooth must be used (hands-free headset, etc), placing it in 'hidden' mode prevents an otherwise vulnerable phone from being located by a copy of Cabir running on an infected phone.

Cabir has several bugs, limiting its likely 'usefulness' to specific phones. For example, it makes assumptions about the Bluetooth interface that may limit it to only working on current Nokia Series 60 phones, and its boot hook installer fails on some phones (perhaps all phones running Series 60 version 2.x). Also, it has been suggested that the continual Bluetooth scanning seriously impacts battery life - an effect bound to be noticed by most affected phone users sooner, rather than later, if Cabir were ever to 'get out'.

So, despite all the attention it has received in the media this week, it seems very unlikely that Cabir, or any of the probable imitators, will become at all widespread. It is believed not to be in the wild - its writer sent it directly to an antivirus company, probably hoping for the kind of publicity it has been given - and although there are two minor variants, its bugs, other design shortcomings and the security warnings that must be manually overridden by a user to become infected all seem to mitigate strongly against it being viable in the field.

Symbian OS phones - symbian.com

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

* Polyglot mass-mailer on the loose...

Hungarian alone apparently doesn't cut it.

The first variant of the Zafi family, Win32/Zafi.A@mm, was a mass-mailer that sent itself attached to messages in Hungarian. Presumably, with most of the world's Internet e-mail-connected folk not speaking Hungarian, e-mails from Zafi.A were ignored, or perhaps seen as spam and not even delivered to many intended recipients.

Apparently Zafi's writer saw this as too limiting, as the second variant, Zafi.B, sends itself attached to messages in one of more than a dozen languages. If the TLD (the last part of the domain name) of a target address is that of Austria (.at), the Czech Republic (.cz), Germany (.de), Denmark (.dk), Finnland (.fi), France (.fr), Hungary (.hu), Italy (.it), Lithuania (.lt), Mexico (.mx), The Netherlands (.nl), Norway (.no), Poland (.pl), Portugal (.pt), Romania (.ro), Russia (.ru), Sweden (.se) or Spain (.sp) Zafi.B sends itself attached to a message in the local language of those countries - messages to any other TLDs are in English.

Although initially isolated (in Hungary) a little over a week ago, there has been a huge increase in reports of Zafi.B through the middle of this week, causing several antivirus vendors to raise their 'alert' or 'watch' warnings on it.

Anyone whose machine has been infected should note that that few, if any, of the online descriptions really describe all of the damage that Zafi.B can cause. From experience cleaning it up on clients' computers, your newsletter compiler knows that copies of the virus will be found far and wide across a typical Windows machine. This is at least partly due to the virus' search for running firewall and antivirus software processes. Zafi.B uses sub-string matching for this, and will thus often finding quite innocent programs. When it finds a partial match on a running process name it kills the process then replaces all .EXE files in the directory the process' executable was launched from. This will require restoring or re-installing any innocent products misidentified by the virus, after you've updated your virus scanner and removed all copies of the virus (preferably from Safe Mode).

Computer Associates Virus Information Center

F-Secure Security Information Center

Kaspersky Lab Virus Encyclopedia

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Acronym alert - MS releases XP SP2 RC2

Microsoft has posted Release Candidate 2 (RC2) of Windows XP Service Pack 2 (SP2) under its 'preview program'. XP SP2 RC2 is available both as a full 'network installer' version and via Windows Update. Microsoft recommends obtaining the preview via WindowsUpdate if only updating a single computer, as the download will be much smaller.

There is still no official word on the likely ship date for the final version of XP SP2, nor as to whether there will be a public (or any) release of an RC3 before the final version is shipped. Some commentators feel RC2 is already late, citing unconfirmed reports that a bug in the NX ('no execute') support for newer AMD and forthcoming Intel CPUs delayed RC2's release. As well as linking to the RC2 download page, we have included a link Microsoft's 'Resources for IT Professionals' page covering XP SP2.

Windows XP Service Pack 2 Release Candidate 2 Preview - microsoft.com

Windows XP Service Pack 2 Resources for IT Professionals - microsoft.com

* Akamai of the killer zombies...

Arghh - sorry about that title!

As if more evidence of the potential for havoc posed by large 'bot nets' - often referred to as 'zombie armies' and the like in the popular media - was needed, Akamai suffered serious disruption to its cunning distributed DNS systems earlier this week. The disruption was short-lived at around two hours duration, but affected reachability of some of the Internet's most-visited sites - Apple, Microsoft, Yahoo! to name a few.

Note that the attack, currently blamed on a nameless, faceless and largely undefinable bot net, was not against the massive server and network capacities of Akamai's content hosting services, but against the apparently less-well provisioned DNS services. As any web master knows, it matters not that you have great content if those looking for it cannot find it, or your site.

Q&A: Tom Leighton, chief scientist at Akamai - computerworld.com

* Gartner pegs cost to banks of spyware, phishing at US$2.4bn last year

According to results extrapolated from a recent Gartner survey of US Internet users, theft from personal bank accounts, facilitated by spyware and 'phishing' accounted for US$2.4 billion in losses in the last twelve months. By Gartner's reckoning, that makes such crimes the fastest growing form of financial fraud in the US.

That's a surprising amount and suggests that the recent announcement of the formation of the Trusted Electronic Communications Forum (TECF), is not a tad too soon. TECF comprises representatives of the leading retail, telecommunications, financial services and technology companies and plans to work with standards bodies and governments to propose and implement solutions to the growing identity theft and fraud problem.

Companies team to reel in 'phishing' - itworld.com

Join the newsletter!

Error: Please check your email address.

More about Akamai TechnologiesAMDAppleCA TechnologiesF-SecureGartnerIntelIT ProfessionalsKasperskyKasperskyMicrosoftNokiaRC3SophosSymantecSymbianTrend Micro AustraliaYahoo

Show Comments
[]