12 Jul Patch Tuesday July 2011 Kurt Baumgartner
20 Mar Cabir, the star of the show Magnus
20 Dec Mobile malware and the Muscovites Aleks
14 Jun Cabir's first year Aleks
18 Jan Cabir in the UK David
15 Jan Smartphone clean up Yury
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
Discussion of this month's patch Tuesday is overshadowed by the massive releases from spearphishing, web and SQLi attacks reported in the media. Four bulletins are being released to address 22 CVE records, or sets of vulnerabilities.
Two of the vulnerabilies immediately enabling remote code execution is the Bluetooth related vuln, however unreliable attacking it may be, and a Visio vuln. A set of vulnerabilities in the CSRSS leading to elevation of privilege and a long set of win32k flaws are impacted.
Microsoft prioritizes deployment of the Bluetooth patch on Vista and Windows 7 client platforms highest. Servers should not be effected. I suppose that in close working environments, it could potentially enable a worm. But the likelihood of another Cabir is low. High value targeted attacks seem to be more of a risk.
The Visio vulnerability was publicly known and PoC released since at least August of last year. Some of our generic detections most likely would have prevented exploitation of this vuln. We are researching for any evidence of related exploitation and will update accordingly.
If you see any problems from the kernel level patches, please comment below, I am interested. Win32k modifications have caused users problems in the past. Cheers to problem free patching!
Tomorrow will be the last day of CeBIT and everyone's extremely busy. We still found the time to visit the Physikalisch-Technische Bundesanstalt (the national meteorology institute providing scientific and technical services) in Braunschweig together with a German TV crew.
And why did we go there? Although the room may look like a big recording studio, the spikes on the wall aren’t to ensure clean sound, but to disperse all radio waves inside the room. Additionally, the metal plated walls and floor create a Faraday cage, making sure that all waves stay inside the room. In short, it’s a perfect location for mobile malware testing.
This gave us the opportunity to show the cameras just how Cabir, the first known smartphone virus, spreads. There are only a few known cases of Cabir infections in the wild in Germany, but everyone in the room understood that mobile malware is a real threat.
The chances of getting infected in your home country may be low. But there are other regions – like parts of Asia – where Cabir is more widespread. And that’s why we never tire of repeating the security professionals mantra: never install a program on your mobile phone if you're not sure where it came from, and if you don't need Bluetooth, turn it off! Even (or perhaps especially) at CeBIT.
Yesterday one of our employees was out for the evening. And naturally enough, used the metro. As you may know, the Moscow Metro is one of the busiest mass transit systems in the world, transporting approximately 9 million people a day.
With so many passengers, a number of whom now have smartphones, what are the chances of infection by Cabir or another virus for mobiles? Hard to tell exactly - all we do know is that while descending to the station, our employee detected an attempt by Cabir to infect her phone.
This is the third time she's experienced this in two months. You may think that this is a low frequency. You may also wonder why an employee of Kaspersky Lab is walking around with a phone in 'visible to all' mode.
In my opinion, it shows that Cabir has already spread far and wide, in Moscow if not in other regions of Russia. OK, three times in two months, when compared to the daily attacks which PCs are subjected to, isn't that high a frequency. And Cabir doesn't, theoretically, pose that much of a danger.
But this case illustrates the way in which mobile malware is gathering momentum. I don't want to think about what will happen when someone - and this will happen sooner, rather than later - releases a viable worm for mobiles which is written with the intention of doing serious damage. Seems like the Metro might become a very dangerous place for smartphone owners.
Today, Cabir celebrates its first birthday. One year ago, 29a sent a sample of their latest creation to AV vendors worldwide via Virusbuster, a Spanish virus collector. Kaspersky Lab was first to detect this proof of concept malware, which turned out to be a worm that targeted mobile phones running under the Symbian 60 OS with Bluetooth capabilities.
The source code for the original Cabir appeared on the Net in late December 2004, which led to a number of copycat variants appearing in the wild. Cabir infections have been registered in over 30 countries to date.
In addition, there are now close to 100 malicious programs targeting mobile phones, most of which are Trojans. This highlights two important aspects: operating systems for mobile devices are very insecure thus far, and users need to realize that mobile devices are vulnerable to the same type of attacks as regular PCs.
So, how soon will it be before the proof-of-concept trickle turns into a flood? It's difficult to be sure. However, there are two issues to consider. First, experience has shown that malware authors target systems that are commonly used. Ownership of mobile devices hasn't yet reached critical mass; but when it does, they will prove an irresistible target. Second, it's clear from developments during the last two years that the computer underground has realized the potential for making money from malicious code in a world where Internet connectivity has become central to business.
Today's threats are largely geared towards making money illegally: through fraud, unwanted advertising (including spam) and extortion. Since mobile devices offer users the same capabilities as PCs, they also offer the same rewards for the criminal underground.
Our UK support department has now had reports of Cabir. Looks like the virus is continuing to spread: this brings the tally to 10 countries.
We have put together a new removal tool that detects and disinfects malware on smartphones and other mobile devices running Symbian OS.
It's available for download and is effective until May 1, 2005.
OS Supported: Symbian OS 6.1, 7.0.
Devices supported: Series 60 smartphones.
Note: This version was tested on Nokia 3650, Nokia 7650, Nokia 6600, Siemens SX1.
Download the utility directly to your smartphone via WAP or download it to your PC and copy it to the device(size is 9.2 KB).
Install it as a common Symbian application package by opening the message that you recieve when downloading the file.
You will need to download and install the utility again every time you would like to update the antivirus databases (we recommend that you do this when you hear of new malware for Symbian OS).
Once we at Kaspersky confirmed a Cabir infection here in Moscow, we've had several more reports of Cabir on the loose. In fact, someone has reported that they were infected as far back as 2 weeks ago.
In all cases, infected users had their Bluetooth set to 'visible to all'. We really do urge all users to turn the 'visible to all' option off and to take advantage of our Cabir removal tool available on our wap site.
Today someone brought us a Nokia 7610 phone infected by Cabir. After analysis, it proved to be Cabir.a. This is first documented infection by Cabir in Russia.
Mikko Hypponen from F-Secure has also told us that they've received reports about Cabir from Turkey and Vietnam, so Russia moves to ninth place in the list of countries where Cabir has been spotted in the wild:
1. The Philippines
3. United Arab Emirates
Over the last few days we see several versions of Cabir. They are not very different from each other, just in unimportant ways.
Today we found out that the source code that these different versions were compiled from was published on the Internet. This means it can be accessed by anyone.
As far as we know, until now the Cabir source code was accessible only to a limited number of people, including members of the international virus writing group 29A. It was a 29A member who wrote the original version of Cabir. We think it was planned to publish the source code in the next edition of the group's electronic journal.
However, it looks that someone has already got access to the code, and now it's public. This will lead to a lot of new versions of Cabir, which has already been detected in the wild in 7 countries.
We have tested Cabir.e. The author has simply removed the MessageBox that Cabir.a opened when infected phones were switched on. The dialog box with a request to approve installation after worm files have been received via Bluetooth still opens.
So far, Cabir.e is not in the wild. We will monitor the situation and alert users if Cabir.e does escape.