[转载]Kaspersky Security Bulletin 2006:Mobile malware
文章作者:Alexander Gostev(Senior Virus Analyst, Kaspersky Lab)原始出处:[url]http://www.viruslist.com/en/analysis?pubid=204791922[/url]
[list=1][li][url=http://www.viruslist.com/en/analysis?pubid=204791924]Malware evolution[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791925]Malware for Unix-type systems[/url] [/li][li]Mobile malware [list][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#res]2006: an overview[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#stat]The year in statistics[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#tech]New technologies[/url] [list][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#theft]Data theft[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#money]Financial theft[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#prop]How mobile viruses spread[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#cross]Cross platform viruses[/url] [/li][/list][/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#newp]New platforms[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#sit]The current situation[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791922#forec]Forecast[/url] [/li][/list][/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791921]Internet attacks[/url] [/li][li][url=http://www.viruslist.com/en/analysis?pubid=204791920]Spam in 2006[/url] [/li][/list][size=5][b]2006: an overview[/b][/size]
In 2006 several important events relating to mobile malware took place, and these events will set the evolutionary trend for the next few years.
[list=1]Commercial Trojans created for Symbian [/li]Malicious users began to steal money from mobile users’ accounts [/li]Malicious programs for standard (i.e. non-smartphone) mobile phones appeared. [/li][/list][size=5][b]The Year in Statistics [/b][/size]
In fall 2005, Kaspersky Lab analysts forecast that the future would bring a steady stream of malicious programs similar to those already known, with a very occasional technically innovative program. An additional motivation for virus writers would be economic gains which could, for instance, be made from the widespread use of mobile telephones to make e-payments. However, it was expected that a global epidemic of mobile malware wasn’t likely to be a real threat for a couple of years.
The following figures on mobile malware (according to Kaspersky Lab classification) prior to 2006 are as follows:
[list]Known number of mobile virus families: 22 [/li]Known number of variants and modifications within these families: 10 [/li]Known number of platforms /operating systems attacked: 2 (Symbian and WinCE) [/li][/list]In early 2006, a considerable increase in the number of malicious programs for mobile devices was noted. 43 variants of different mobile viruses appeared in February - April alone. At the peak of their activity, virus writers were providing antivirus companies with nearly ten new variants a week. Interestingly, Asian hackers turned out to be the most prolific. Overall, their programs stood out in terms of the platforms targeted and the moves made towards the relatively uncharted realm of mobile technologies.
It seemed that this rapid evolution would continue for some time, giving rise to the potential danger of mobile viruses being created in "assembly line" fashion, and reaching volumes similar to those shown by some computer viruses. However, in the second half of 2006, the appearance of new samples more or less came to a halt in terms of both known and new families.
This downward trend continued until the end of 2006, and resulted in a mere two to seven new variants of old malicious programs appearing each month. At the same time, the number of active mobile virus writers decreased considerably. At present, most new mobile malware is being created by just one or two people worldwide. This is why new variants do not tend to include technical innovations, leading to them being categorized as primitive Trojans.
[align=center][img]http://images.kaspersky.com/en/vlpub/0702_06p4_graph23_en.png[/img]
Increase in number of mobile virus variants in 2006 [/align]The statistics for mobile malware at the end of 2006 were as follows:
[list]Known number of mobile virus families: 35 (+13), up 37% [/li]Known number of variants and modifications: 186 (+80), up 45% [/li]Known platforms / operating systems: 4 (+2, J2ME and MSIL) [/li][/list][size=5][b]New technologies[/b][/size]
[size=4][b]Data theft[/b][/size]
The era of commercial Trojans and spyware programs for Symbian has now dawned. The first fully functional spyware program was found in April. Its developers were selling it on their website for $50. Flexispy, once installed, has total control over a smartphone and sends cybercriminals information about calls made and SMS messages sent. In September 2006 a second, similar program for Symbian hit the scene: Acallno. This program harvests all text messages sent and received on the infected phone and forwards them to a designated number.
[size=4][b]Financial theft[/b][/size]
Virus writers have only demonstrated one of the many ways to steal money from mobile phone users. Unknown Russian hackers were the first to develop this technology; in February and September they were the ones who used premium number functionality ir order to steal money. In February they spread the RedBrowser Trojan, which was disguised as a utility that could be used to access the Internet via SMS. However, the program actually sent SMS to premium rate numbers, with $5 for every SMS being deducted from the subscriber’s account. Wesber, a Trojan with similar functionality, appeared in September 2006.
[size=4][b]How mobile viruses spread[/b][/size]
Previously, mobile viruses differed from computer viruses in using specific ways of propagating - via Bluetooth or MMS. However, the functionality of the .NET programming platform which is integrated into WinCE has enabled virus writers to exploit yet another, more traditional infection vector: email. The Letum worm behaves in exactly the same way as thousands of typical PC email worms, and once it gets onto a telephone, it sends itself to all the email addresses stored in the infected phone’s contact list. Furthermore, Letum could be classified as a cross-platform virus, as it is capable of running on computers running .NET.
[size=4][b]Cross platform viruses[/b][/size]
The Cxover virus is the first cross-platform malicious programs for mobile phones. When launched, it checks to see which operating system is running, and when launched on a PC, it looks for access to mobile devices via ActiveSync. The virus then copies itself to the mobile device using ActiveSync. Once it is on the telephone (or PDA), the virus attempts to perform the procedure in reverse, i.e. to copy itself to the PC. It can also delete user files on the mobile device.
The Mobler worm works a little differently. Once it’s launched on a PC (with a Win32 component), it creates a SIS file on the E: drive. The SIS file contains several empty files which are used to overwrite a number of system applications on the phone. The file also contains the worm itself which then copies itself to the phone's memory card and adds a file called autorun.inf.
If a user connects a Mobler-infected phone to a computer and tries to access the phone's memory card, the worm will automatically launch and infect the computer. Mobler is a clear example of a cross-platform virus capable of running on totally different operating systems: Windows and Symbian.
[size=5][b]New platforms[/b][/size]
Prior to 2006, the two most frequently attacked mobile platforms were Symbian and WinCE, which are the main smartphone platforms. The appearance of the RedBrowser Trojan in February 2006 was an unpleasant surprise. This was the first time that standard handsets (i.e. not smartphones) were infected. RedBrowser targeted mobiles which use the J2ME platform to run certain applications.
Although until recently it seemed an impossibility, infecting almost every kind of mobile phone is now a reality. The very appearance of Trojans for J2ME is just as worrying as the appearance of the first worm for smartphones in June 2004. It’s still difficult to assess all the potential threats. However, it’s a fact that the standard handsets still outnumber smartphones and malicious users have now worked out how to infect a standard phone and use it for criminal purposes. This means that antivirus protection for such devices is becoming a relevant issue.
In Spring the first proof of concept backdoor for BlackBerry devices was detected. However, it was written in Java, and therefore can't really be classified as malicious code for a new platform.
Of the thirteen new families of mobile malware discovered by Kaspersky Lab in 2006, seven included technical innovations, and two of the seven were for new platforms.
[align=center][table=80%][tr][td]Innovation[/td][td]Family[/td][td]Month[/td][td] Redbrowser到底是个什么东西?原来一直以为J2ME是“绝对”安全的,现在...震惊!好奇?!想看看源代码,仔细研究研究。拜托老大了!
页:
[1]