{"id":14964,"date":"2014-06-16T13:06:34","date_gmt":"2014-06-16T13:06:34","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=2035"},"modified":"2022-05-05T04:29:29","modified_gmt":"2022-05-05T08:29:29","slug":"cabir-five-stories","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/cabir-five-stories\/14964\/","title":{"rendered":"Five stories about Cabir, the first malware for smartphones"},"content":{"rendered":"

Yesterday\u00a0marked the\u00a010 year anniversary\u00a0of the first smartphone malware being\u00a0discovered<\/a>. Today, Cabir worm looks harmless: it doesn\u2019t steal money or passwords, nor does it delete users\u2019 data. But\u00a0it\u00a0drains the battery within 2-3 hours \u2013 which was unseemly in 2004, but now, in 2014, it\u2019s quite possible.<\/p>\n

Today we will tell you how we discovered this virus, the origin of its\u2019 name, what happened next and how it all ended. As a matter of act, the story has ended for some characters: e.g. for Symbian platform. For the rest of them \u2013 for smartphone manufacturers, users and for cybercrminals this is just\u00a0the beginning.<\/p>\n

Story One. It all happens by the end of the day.<\/strong><\/p>\n

Most IT people know the story well: servers crash, software bugs announce themselves aloud, new viruses drift in \u2013 all strictly at 6:30pm. On Fridays, mostly. In June 2004 everything happened \u2013 not on Friday, but \u2013 indeed by the end of the malware analysts\u2019 shift. So they sent a file that had just dropped into their \u201cvirus\u201d e-mail to the next shift, tagging it as \u201csomething weird\u201d.<\/p>\n

Today Cabir worm looks harmless: it\u00a0doesn\u2019t steal or delete anything.<\/p>Tweet<\/a><\/blockquote>\n

It became clear later, that the mysterious file had been sent over to many antivirus vendors. Most of them, however, contented themselves with the fact that it wasn\u2019t Windows executable and thus it posed no threat to common PCs. Kaspersky Lab\u2019s analyst Roman Kuzmenko who had just stepped up for the shift, quickly figured out it was an ARM program for Symbian platform that was just two years old at the time.<\/p>\n

While the file analysis was still ongoing, a full-blown search operation unfolded all across Kaspersky Lab: we were looking for Symbian phones. It\u00a0was not an easy task: at that time smartphones were quite a novelty, and a pretty expensive one (the first of them, Nokia 7650 came with\u00a0a price tag of 600 euro).<\/p>\n

While we were still searching for a smartphone (according to legend, people\u00a0were even sent to the nearest electronics store\u00a0in order to find one) it had become clear that a single smartphone wasn\u2019t going to be enough. At least two were\u00a0required, in order to confirm that the worm was capable of spreading via Bluetooth on its own. Kudos to Roman Kuzmenko: he conducted the analysis of an entirely new program for an underexplored platform very quickly, and predicted its key features way before it\u2019d been launched on real devices.<\/p>\n

Six months prior Alexander Gostev summed up the year 2003 and predicted that the mobile malware will emerge promptly. He was right.<\/p>\n

Story Two. Why \u201cCabir\u201d?<\/strong><\/p>\n

Actually almost all malware are named by their (mostly) anonymous authors. We could just pick the filename \u2013 Caribe.sis. However there is a tacit agreement between the antivirus vendors not to do it this way. First, the same malware can be distributed under the different names (but the classification should be preserved). Second, we shouldn\u2019t encourage virus writers promoting their own names: some of these miscreants breed pests just to extort their five minutes of glory from antimalware vendors.<\/p>\n

In most cases, however, the final name is<\/em> actually related to virus writers\u2019 creative whim \u2013 this or that way. So happened with Cabir, but it wasn\u2019t just about swapping letters. During the peak of the arguments regarding the first smartphone worm, Elena Kabirova, Kaspersky Lab\u2019s employee, entered the lab. Upon seeing her, Eugene Kaspersky offered to call the worm after her name, due to obvious resemblance, to which she graciously agreed (but not until\u00a0making sure that the event itself\u00a0was significant indeed).<\/p>\n

Story Three. The iron room and the collection of devices.<\/strong><\/p>\n

So, the first worm for the smartphones had been successfully discovered. The world found out that not all files sent in are useful, and that the viruses can be distributed not just via Internet and\/or flashdrives, but also over the air, just like the common flu. Despite the fact that Cabir was only translatable via Bluetooth and could infect only the phones within 10 meters range, it was still accounted for a couple of epidemics. Most often it manifested itself in crowded areas: for instance a wave of infections rolled all over the stadium in Helsinki during the 2005 World Championships in Athletics. Moreover, one could get a message with a malicious attachment anywhere in the\u00a0subway. Cabir owes its relative \u201cpopularity\u201d to the well-known group of distinguished gentlemen codenamed 29A. So we have as many as 18 variants of this worm in our base. They are almost identical, although Cabir.k dated April 2005 could use MMS (do you remember them?) to spread itself, causing a user quite real monetary damage.<\/p>\n

And what about iron room? Researching new variants of Cabir (and similar malware) caused local incidents within Kaspersky Lab. Just imagine: a virus analyst launches a new malware variant on a test smartphone, while a level below a mobile antivirus developer suddenly receives an offer to accept a file. So we needed a confined space for experimenting, and so the room where neither cellular, nor WiFi signal could pervade, and where we could chill out<\/del> test new viruses without risking\u00a0to infect our colleagues\u2019 phones.<\/p>\n

\"Bluetooth_hazard\"<\/p>\n

Thanks to Cabir, we\u2019ve acquired a constantly renewed collection of mobile devices. Nokia 3650 was the\u00a0first one:<\/p>\n

\"nokia1\"<\/p>\n

\u00a0<\/p>\n

Other than a dubious honor to be the second Nokia smartphone, it\u2019s remembered for its remarkably<\/em> unhandy keyboard.<\/p>\n

Nokia N-Gage was there too:<\/p>\n

\"okia-n-gage\"<\/p>\n

A possibility to play mobile games ( quite good for that time) was a big advantage for this device. On the contrary, when used as a phone it had to be apposed to the ear with its side-edge, where both speaker and microphone were located; a user then looked like some kind of Van Gogh Elephant.<\/p>\n

Story Four. Not just Bluetooth.<\/strong><\/p>\n

The method of spreading via Bluetooth itself was quite original, but short-lived. First came smartphone malware spreading itself via MMS using the devices contact lists. It was followed by a long-running epidemic of SMS sent to the paid numbers (which brought criminals a good deal of income), and then all of the malicious activity had gone to the Web \u2013 faster, more reliable, no limits on damage range.<\/p>\n

So that fabulous \u201ciron room\u201d was our experts favorite meditation place for a limited\u00a0time. While moving to a new office, we abandoned it \u2013 there was no reason to bring it along.<\/p>\n

There was, however, one exception: Flame, an extremely complex cyber-espionage tool discovered in 2012<\/a>. Its Bluetooth functionality\u00a0isn\u2019t the main\u00a0one, but it has some interesting capabilities. First, it gathers data on the devices in range (the same way you can find out the smart-TV model in the neighboring apartment). Second,\u00a0Flame can turn the Bluetooth unit into a sort of a beacon indicating that an infected PC is nearby \u2013 for someone who knows.<\/p>\n

Story Five. Rise and Fall of Symbian malware and the dawn of the glorious (?!) future<\/strong><\/p>\n

During the entire history of monitoring, Kaspersky Lab detected 621 malware variants for Symbian \u2013 all of them differing from each other\u00a0in something more than just name and icon. Not many, to be honest.\u00a0Until mid-2008 all new items produced by cybercriminals (and amateur virus writers too) were targeting Symbian smartphones alone. Then the tide turned. First, Nokia as the primary Symbian manufacturer started taking measures. For instance, digital signatures were introduced (many people can still recall how much headache they caused). Then suddenly it became clear that writing malware for platform-independent Java ME was much more lucrative. Java malware potentially threatens a lot more people \u2013 users of the common phones. Smartphones were endangered too \u2013 at least those with Java support. A double impact!<\/p>\n

In August 2010 our base received the first entry describing a malicious program for Android OS<\/a>. It is now a primary target for the cybercriminals: so far we have about 370 thousand malware variants for this platform. Compare this to the pathetic hundreds for Symbian.<\/p>\n

Suddenly it became clear that writing malware for \u00a0Java ME is much more lucrative.<\/p>Tweet<\/a><\/blockquote>\n

The last Symbian phone had been released in 2012<\/a>. For weal or for woe, this platform is dead now. While Cabir was the first malware for Nokia smartphones, what was the last one? They still emerge from time to time now. The last more or less unique one had been discovered on May 6th, 2014 \u2013 a rather plain SMS Trojan, sending out messages to paid numbers and concealing the delivery notifications from the user. By the way, it\u2019s been 8 months between the discovery of this Trojan and the previous malware.<\/p>\n

But it is all just the beginning for the mobile devices. Although during the first two years after Cabir discovery there weren\u2019t many mobile viruses, they were advancing rapidly. Over two years they have passed all the stages \u2013 viruses to Trojans to backdoors, etc. \u2013 that took PC malware more than a decade to pass. For the last 10 years mobile malware \u201clearned\u201d how to steal money and passwords, how to crack the online banking, how to intercept the SMS with one-time passwords, and \u2013 the most recent development \u2013 how to encrypt users\u2019 data and then extort money for decryption<\/a>. We are yet to see what comes next. But, for now, it\u2019s clear\u00a0 how harmless the \u201cfirstling\u201d was. Created by the altruistic malware writers just for the sake of an art, it encroached on the battery alone, not the user\u2019s money. A funny creature from the day before yesterday\u00a0\u2013 when the smartphones were multiple, different and had physical buttons.<\/p>\n

And you? Have you met Cabir?<\/p>\n

\"Click<\/a>

Click to open the full infographic.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Yesterday\u00a0marked the\u00a010 year anniversary\u00a0of the first smartphone malware being\u00a0discovered. Today, Cabir worm looks harmless: it doesn\u2019t steal money or passwords, nor does it delete users\u2019 data. But\u00a0it\u00a0drains the battery within<\/p>\n","protected":false},"author":2706,"featured_media":16116,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[707,537,45],"class_list":{"0":"post-14964","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-cabir","10":"tag-mobile-malware","11":"tag-smartphones"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cabir-five-stories\/14964\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cabir-five-stories\/1883\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cabir-five-stories\/14964\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cabir-five-stories\/14964\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/cabir\/","name":"Cabir"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14964","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=14964"}],"version-history":[{"count":6,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14964\/revisions"}],"predecessor-version":[{"id":41080,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/14964\/revisions\/41080"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/16116"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=14964"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=14964"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=14964"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}