22 January 2008

New Symbian S60 2nd Ed Worm Starts Crawling!!

Phone users have to do a lot wrong to be hit by a virus

F-secure has just warned mobile phone users of a new worm which as usually it affects only S60 2nd Edition Symbian Smartphones.

As I have already said numerous times there is no real danger if you are careful enough, actually, in my personal opinion, Smartphone users have to do a lot wrong to get infected and the latest Worm isn’t expected from this rule.

Same as any other Symbian S60 malware, this worm requires authorization from the user to install it and therefore it is hard to believe that careful user could be infected that easy with this worm.

Sure from other hand unexpired user could try to install it and once installed worm harvests numbers stored in the address book and to other random numbers on the same operator network.

The SymbOS/Beselo family of worms is very similar to Commwarrior. In fact at first we actually misidentified Beselo.A as Commwarrior.Y. Like Commwarrior, Beselo worms spread via MMS and Bluetooth using social engineering to trick users into installing an incoming SIS application installation file.

But what makes Beselo interesting is that instead of a standard SIS extension the Beselo family uses common media file extensions. This leads the recipient believe that he is receiving a picture or sound file instead of Symbian application. He is then far more likely to answer "yes" to any questions the phone prompts after clicking on such an incoming file. The filenames used by Beselo are beauty.jpg, sex.mp3, and love.rm.

However, just this use of a new social engineering trick was not enough to get more attention from us; we added Beselo.A as Commwarrior.Y back in December. But last Friday and over the weekend a friend working for a major telecom operator became interested in the extensions and did a bit of investigation into what was going on.

It turns out that Beselo.A was in the wild on their MMS network and that it had a big brother, Beselo.B.

Both of these worms have been able to escape operator and AV company attention for at least a while with the simple trick of pretending to be common media files. And as there are a lot of JPG and other media files traveling over MMS all the time it's no wonder that it took a while for people to realize that there is a new worm on the loose.

So if you have a Symbian S60 phone, and you receive a media file, answer "no" to any installation prompt that appears when trying to open the file. There is no reason for any image file to ask installation questions on the Symbian platform, so any image or sound file that does something else than play immediately is without question something else than it claims to be.

Beselo worms are compiled for S60 2nd Edition phones. Attempting to open the file on a 3rd Edition phone will likely cause an error message rather than an installation prompt.