How to recognise CABIR worm

Background

A “proof of concept” virus has been sent to several virus protection companies.  It should be noted that this was not originally an active attack.   Since the original CABIR exposure the source code for the virus was placed on some web sites, this has resulted in sightings of infected handsets in very small numbers across the world.  A small number of infected handsets have been found in the UK, it is therefore likely that there may be many more occurrences of this, where users are not aware of the problem. 

CABIR is a virus designed to attack devices using the Symbian operating system, it will therefore have no impact on devices that are not Symbian based.  The vast majority of Bluetooth devices do not run on the Symbian platform, however several models of Ericsson and Nokia mobiles do use Symbian. 

Attack

The CABIR worm is a “proof of concept virus.  This has proved the principle that it is possible to infect a Symbian based Bluetooth device and to in theory propagate the attack to other Symbian devices.  The virus when loaded onto a device will attempt to transmit itself to the first paired device that it can find.  Once it achieves this there is no further impact on the host mobile.  If it finds an appropriate device it will prompt the user of the target device to download the program.  The virus will then try to look for another paired device from the target mobile. 

This attack is extremely limited:

1. It can only transmit to a paired device.
2. Most handsets are only paired to a headset or laptop, neither of these will be running a Symbian operating system.
3. It requires the user to manually accept the download of the program.
4. It only propagates to one other device.
5. Only impact on user is reduced battery life whilst it scans for a paired device within range.
6. Some devices can only support one Bluetooth application, and there has been a report that these handsets if infected with CABIR will no longer pair with their headsets, as the virus is using the bandwidth. 

Recommendations

The following recommendations will defend a handset against Comwarrior and similar virus infections.  The advice on Bluetooth should also be followed to protect your device’s privacy.  We believe that there are sophisticated devices that can interrogate Bluetooth devices, and the following advice is sound for all Bluetooth devices; PDA and laptop, as well as mobile phones.  The amount of private data potentially available on PDAs is likely to be far more of a risk than that found on mobile phones.  

Bluetooth Advice

• Switch off Bluetooth when not actually required – this will also have a beneficial impact on battery life.
• All devices should be set to hidden once the user has set up a paired connection.  A persistent bluesnarf attacker may still be able to access the phone, but may need to stay within range of the device for up to thirty minutes.
• Device names should be changed when first used e.g. Nokia phones come factory set as NOKIA 3650 for example.
• Set device Bluetooth PIN for access, if possible, this will also slow down any scanning attack. 

Messaging Advice

The CABIR virus is sent in the form of a Bluetooth message, it is possible for other attacks, such as Comwarrior, to be sent in the form of messages using SMS, MMS or Bluetooth.  The most common form of attack currently is the sending of phone settings to mobiles using sms or mms. 

Customers are advised not to accept any programmes or setting changes that they have not specifically requested.  Current handset configuration requires the user to manually accept downloaded programs or settings and this has so far limited any active attacks.