How the first mobile malware Cabir was discovered?

Ten years ago, digital security experts reported the discovery of Cabir – the first ever worm designed to attack mobile phones. Unlike most modern malware samples, Cabir wasn’t equipped with a wide range of malicious functions. Instead it made history by proving that it was possible to infect mobile phones.

Experts first encountered Cabir at the beginning of June 2004. One of Kaspersky Lab’s virus analysts was just ending his shift and handing over to a colleague, when he noticed an email with no text but with an attachment. The attachment was suspicious: it was a file, but a quick analysis couldn’t determine the software platform it was written for. It definitely wasn’t designed for Windows or Linux, the platforms that analysts usually worked with.

“Roman Kuzmenko was working the night shift that night,” Alexander Gostev, Chief Security Expert at Kaspersky Lab recalls. “He stood out among other analysts who worked at Kaspersky Lab at that time because of his ability to analyze complicated threats fast and accurately. Pretty soon after he started looking at that suspicious file, Roman discovered that it was written to execute in Symbian OS – a mobile operating system which powered Nokia mobile phones,” Gostev adds.

Further analysis showed that this file was able to send itself to another phone via Bluetooth. As a result the battery of the infected phone drained extremely quickly. This was the only function of the newly discovered malware and it was hardly malicious. However, its ability to send itself to other mobile phones forced experts to build a special testing room for analyzing such threats.

“Our colleagues from neighboring offices started to come in complaining that some kind of ‘virus’ was infecting their phones. As a result, we decided to equip a room with a special covering to prevent any radio signal from leaving it. This room then served as a special place to conduct tests on new mobile malware samples,” said Gostev.

Also in the code of Cabir malware, experts found mentions of “29A” – a group of malware writers notorious for developing so-called conceptual viruses or viruses that were developed in order to prove the vulnerability of a particular computer subsystem, or to demonstrate the possibility of infecting certain systems or devices.

“This group was known for developing malicious software that made a lot of noise in the cyber security world. Cap, Steam, Rugrat – all these infamous pieces of malware were developed by 29A,” Gostev notes.

Along with developing conceptual malware, 29A regularly issued its own e-magazine. In one edition, 29A had published the worm itself and some fragments of its source code. That article, which proved that malware could be created to target one of the most popular mobile platforms in the world, caused a huge stir in cyber security at that time. It also stimulated other virus writers to develop this idea further.

Soon after the publication of the worm in 29A’s magazine, all manner of Cabir modifications appeared on the Web.
“Cabir was just a beginning, a starting point. Soon after we discovered it, we saw clearly that mobile threats are a very serious problem which needs a very special approach. In response, we established a whole new research division within Kaspersky Lab that was fully dedicated to mobile threats,” said Alexander Gostev.

After Cabir, a few hundred different viruses targeting Symbian devices were discovered. The number of new malware samples for this platform started to decline rapidly after the establishment of new mobile operating systems, such as Android, which grew to be more widespread and thus more lucrative for cybercriminals. Ten years after the discovery of Cabir, the collection of mobile malware contains more than 340,000 of unique samples, with more than 99% targeting Android.

courtesy-etcio.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s