NEWS FROM THE LAB - Friday, July 8, 2005

Symbian trojan that sends another trojan over bluetooth Posted by Jarno @ 14:03 GMT

We have received samples of rather interesting pair of trojans SymbOS/Onehop.A and SymbOS/Bootton.A.

The Onehop.A is a trojan that disables most of built in applications and replaces them with a component that causes the device to reboot when executed. Basically this means that when user tries to execute any system application or press the menu button, the device will reboot.

In addition of damaging the phone, the Onehop.A also contains bluetooth functionality by which it searches the first phone it finds and sends the Bootton.A to that device. As the Onehop.A sends copy of Bootton.A not a copy of itself, it does not replicate and thus is not a worm, only a trojan.

As the name suggests, the Onehop.A is capable of infecting devices only one hop away from the original infection, while a real worm is capable of unlimited hops.

The bluetooth functionality of Onehop.A is implemented with modified Cabir. The Onehop.A installs modified Cabir.B, that is not capable of spreading itself and sends copies of Bootton.A instead. The modified cabir is not capable of replication, so it is detected as component of Onehop.A not as a separate malware.

The Bootton.A is almost identical to the Onehop.A with the exception that it does not have the bluetooth functionality. And thus is not capable of affecting other devices,and is different enough to require other name than Onehop.

Neither the Onehop.A or Bootton.A have not been met in the wild. And as both of them pretend to be pirate copied software, people who don't install software from illegal sources do not need to be worried.