There have been some really good fear-inducing stories in the news lately. Steve Litchfield has written the Symbian virus hype-busting article.
F-secure's blog has a good explanation of why Cabir in the U.S.A. is not really something to worry about -- mainly because Series 60 phones do not have much market penetration.
Sony-Ericsson UIQ interface phones do make up more of the market, due mainly to cingular wireless.
As of January of this year the source code for two different versions of Cabir have been released. It is surprising that no one has made the changes necessary to port Cabir to UIQ. A large number of Cabir variants are simply hex edited versions of the original. The new breed of cell phone virus writers either hasn't shown up for work yet or is just incredibly lazy and unskilled.
Trend Micro has apparently considered this as well as the potential size of the American cell phone market in making the decision to sell a UIQ version of their scanner. They are a bit early as no UIQ malware has yet been released.
Tuesday, February 22, 2005
Kaspersky entering Symbian AV Market?
Kaspersky Labs is apparently beta testing a new scanner for Series 60 phones. We can probably expect a product release before Summer.
The market is certainly getting crowded.
The market is certainly getting crowded.
Wednesday, February 09, 2005
Locknut notes
The Locknut samples consist of 3 files, 2 RSC files and an app. The app is 6 bytes long, obviously an invalid size.
RSC files are not 'active' files. Data in RSC files are interpreted by individual apps, the OS just loads your buffers. One of the RSC files, the largest appears to be a plain text file.
Apparently the Appserver crashes when attempting to run the locknut app. Per other descriptions it appears that only Symbian version 7.0s and later are affected.
Attempting to load a 6 byte file that is too small to contain either a standard app header or even a rom exe header seems like a big oversight on the part of Symbian's developers. Considering that earlier versions are not affected, the question becomes what has changed in program loading with the arrival of version 7.0s. It occurred to me that perhaps it has something to do with the new compressed executable feature introduced in that same version.
The Symbian executable file format has been the same from ER5 through to version 6. This format is documented with symbian's release of the source code of petran. The new version, compressed executable modifies the header a bit to provide flags for compression and compression type. These are not yet publically documented.
The crash of the appserver could be attributed to buggy new code involved in handling compressed executables. It would be bad if this were the case, as similar to the recent J2Me vulnerabilities fixing the problem would require ROM replacements. Depending on number of units sold, this may be more feasible to prevent with software and prudence.
RSC files are not 'active' files. Data in RSC files are interpreted by individual apps, the OS just loads your buffers. One of the RSC files, the largest appears to be a plain text file.
Apparently the Appserver crashes when attempting to run the locknut app. Per other descriptions it appears that only Symbian version 7.0s and later are affected.
Attempting to load a 6 byte file that is too small to contain either a standard app header or even a rom exe header seems like a big oversight on the part of Symbian's developers. Considering that earlier versions are not affected, the question becomes what has changed in program loading with the arrival of version 7.0s. It occurred to me that perhaps it has something to do with the new compressed executable feature introduced in that same version.
The Symbian executable file format has been the same from ER5 through to version 6. This format is documented with symbian's release of the source code of petran. The new version, compressed executable modifies the header a bit to provide flags for compression and compression type. These are not yet publically documented.
The crash of the appserver could be attributed to buggy new code involved in handling compressed executables. It would be bad if this were the case, as similar to the recent J2Me vulnerabilities fixing the problem would require ROM replacements. Depending on number of units sold, this may be more feasible to prevent with software and prudence.
Tuesday, February 08, 2005
On Marcos Velasco
Mr. Velasco mentions on his security site that he has not gotten as much attention in the past two years for all of his security tools and research than he has received for writing a Cabir clone and SIS file infector. I agree that it is not very heartening to see your good works ill received.
AntiSpy clears out a number of interesting tracking keys in the Windows registry. The readme file included in the install package covers most of what you would need to know about these keys. The key being that they're recreated on reboot, necessitating a tool like antispy to remove them. For that purpose it beats a general purpose spyware scanner like Spybot.
MV RegClean identifies invalid registry entries like other registry cleaning tools on the market. Its interface is clean with straightforward options for scanning the registry as well as performing backups.
Regarding Cabir (H & I) , according to Mr. Velasco these are clones of Cabir developed by reverse engineering the original Cabir worm. For someone involved in the computer security industry writing viruses is a no-no.
Regarding innovation, Mr . Velasco's creation of a SIS file infector/dropper while not a completely new technique it is the first implementation of an archive infector on the Symbian OS. For this he certainly deserves credit.
All the same he has stepped over the line, if you are in the business of securing computers do not endanger them at the same time.
AntiSpy clears out a number of interesting tracking keys in the Windows registry. The readme file included in the install package covers most of what you would need to know about these keys. The key being that they're recreated on reboot, necessitating a tool like antispy to remove them. For that purpose it beats a general purpose spyware scanner like Spybot.
MV RegClean identifies invalid registry entries like other registry cleaning tools on the market. Its interface is clean with straightforward options for scanning the registry as well as performing backups.
Regarding Cabir (H & I) , according to Mr. Velasco these are clones of Cabir developed by reverse engineering the original Cabir worm. For someone involved in the computer security industry writing viruses is a no-no.
Regarding innovation, Mr . Velasco's creation of a SIS file infector/dropper while not a completely new technique it is the first implementation of an archive infector on the Symbian OS. For this he certainly deserves credit.
All the same he has stepped over the line, if you are in the business of securing computers do not endanger them at the same time.
Subscribe to:
Posts (Atom)
Auto "Kill Switch", solving the wrong problem?
Consumer Watchdog, a consumer advocacy group, put out a report on the dangers of Internet connected cars. They received coverage on the nigh...
-
Consumer Watchdog, a consumer advocacy group, put out a report on the dangers of Internet connected cars. They received coverage on the nigh...
-
A number of factors drive malware on new platforms. The chance for pure discovery and experimentation, the desire to be the first, a need to...
