NEWS FROM THE LAB - Tuesday, December 4, 2007

Worm-Like Anti-Theft Posted by JP @ 14:55 GMT

We've recently received questions about a Symbian S60 application circulating the Internet that sends SMS messages at very high rate to an unknown phone number. While we were studying this software we came to realize it's actually a well-known anti-theft system for Symbian Series 60 phones.
MMC Card
We contacted the author of the software and at the author's request we now are detecting, disabling, and removing a certain version (0.95 beta for S60 2nd Edition) of this anti-theft system from phones running our Mobile Anti-Virus software.

Due to design and programming errors, version 0.95b of the anti-theft software exhibits worm-like behavior moving from MMC card to phone. Once on an "unknown" phone it sends SMS messages on eight second intervals to a predefined number.

The spreading mechanism, that was actually meant to be a system resisting phone formatting, causes this anti-theft system to make a full copy of the software onto MMC cards inserted into the phone. When an MMC card that contains a copy of this software is inserted into a new phone, the "worm" starts automatically in the new phone, makes a copy of itself onto the C: drive of the phone, and starts the SMS alert loop thinking it's still on the original phone — that supposedly was just stolen and formatted.

Now, as if the previous behavior wasn't bad enough for software that was meant to protect your phone, things got worse when someone decided to repackage the software from an already installed set.

If you were to swap an MMC card with a friend, and it resulted in an alert that your friend's phone has been stolen (giving your number as the thief) you would realize soon enough that something strange is afoot.

But if the person who has defined the number into the (repackaged) software is not someone that you know… and that person has no way to tell you about the SMS messages your phone is sending — you are kind of in a bad situation since you'll only find out about the issue when your GSM-operator gets in touch with you to talk about the 100,000+ SMS messages you've recently sent.

Current versions of the anti-theft system we're writing about here is available in many Symbian forums. Numerous Symbian blogs also contain discussions about "HatiHati virus" (hence the name for our detection) or "3396003964 virus". We've only seen a few connections made between the two thus far.