by Deb Radcliff

Part  1  |  Part  2  |  Part 3

A "Getting-started" Policy

The first two parts of this article have shown the depth and complexity of security vulnerabilities and smart phones. Part three of this series presents the policy side of how to prevent attacks, and provides an overview of the history of mobile malware.

It'd be nice if organizations today could have comprehensive smart phone use policies in place and the power to enforce them, says Nick Ianelli, mobile security analyst for U.S. CERT.

"On company-issued phones, it'd be great to say, "No gaming," and "No software installs without the authorization of IT, and turn off Bluetooth except when synching,"" he explains.

It'd also be good to remotely check patch level and security software running on the device at the time of VPN connection or PC synchronization. But, we're at least a year away from standards-based vendor products delivering this level of automation. So, in the meantime, start small, say experts. They offer the following advice¹:

• Take a survey. Find out who's using smart phones for what type of business. Then, make a risk assessment of those applications and the data stored in them.
• Start an awareness campaign. Educate your power users about the value of their business data, and what would happen if it were stolen or rendered inaccessible by a mobile virus. Educate all users about the dangers posed to their personal information and how they shouldn't believe what they see on their devices, just like on their PCs.
• Don't just tell them. Show them. Make them hands-on aware of the features in their phones that are risky, and show them how to use them securely.
• If you must issue policy around business phone usage, stick only to your power users and what you can control with today's technology. For example, all phones come with remote locking, meaning they can be shut down if they're reported lost or stolen. So that policy should be implemented on any phone containing valuable business, or regulated data.
• Turn on encryption. Although not built to Trusted Platform specifications at this time, many mobile phone vendors have some type of built-in encryption. Third-party applications are also available. Look for easiest interface, as users will have to interact with their encryption programs.
• Control network connections through VPN access.

Resources

The following comprises a brief history of mobile malware²:

• Spring 2004: Mosquitos, the game infected by a Trojan, sends messages to expensive toll numbers, causing considerable economic loss to its unwitting victims.
• June 15, 2004: Cabir.A, first Symbian worm to replicate through an active  Bluetooth connection, emerges.
• June 16, 2004: Only one day later, Cabir.B makes an appearance, and will continue its spread mainly in China, India, Turkey, Finland, and the Philippines. To this day, this worm continues to hitchhike around the world.
• July 2004: Duts, nicknamed the "polite virus," hits Pocket PCs for the first time and spreads to all .exe files in the directory through infected programs exchanges. When a program hit by Duts is activated, a message appears asking the user permission to proceed: "Dear User, am I allowed to spread?"
• Aug. 2004: Brador appear. This back door creates a copy of itself in the start file on handheld devices and informs the attacker the minute the device is online. The hacker can then connect to the palmtop through the TCP door and covertly control the device.
• Nov. 19, 2004: Skulls.A attacks Symbian-based smartphones, appearing on Web sites that allow users to download shareware applications for the Symbian operating system. If erroneously installed, the Trojan blocks the functioning of applications, allowing the user only to make or receive phone calls.
• Nov. 29, 2004: Skulls.B emerges. As with previous Trojans, this is spread through a file called Icons.SIS, blocking the functioning of the cellular device's applications and allowing the user only to make and receive phone calls, deleting all other functions. Skulls also carries the worm Cabir.B.
• Dec. 9, 2004: Cabir.C, D and E appear.
• Dec. 21, 2004: Skulls.C, Cabir.F and Cabir.G appear.
• Dec. 22, 2004: MGDropper spreads during game installs disguised as the cracked copy of the popular cellular phone game Metal Gear Solid. When launched, MGDropper installs versions of Skulls and Cabir and tries to undermine the security products installed on the phone.
• Dec. 26, 2004: Cabir.H and Cabir.I make an appearance. Both target cellular  phones with a Symbian 60 Series operating system.
• Jan. 11, 2005: Lasco, targeting cellular phones with a Symbian operating system and an active Bluetooth connection, combines viruses and worms and replicates the behavior of the notorious Cabir, searching for other active Bluetooth devices so it can replicate and look for .sis files to infect.
• Feb. 1, 2005: The Locknut.A trojan (also nicknamed Gavino.A and B by some anti-virus companies) aims at phones with a Symbian 7.0 operating system. It's a Symbian SIS Trojan file that substitutes a binary file, blocking the phone and preventing any application from opening. Once hit by Locknut.A, the phone becomes unusable, even for phone calls.
• March 3, 2005: Commwarrior.A starts creating unwanted billing for infected Series 60 users. This virus, however, adds a new layer of sophisticated intelligence, using Bluetooth during daytime for spreading and sending MMS messages at night. To become infected, the user has to accept the installation dialogue; once done, detection is difficult. The global spread of Commwarrior.A has been rapid because of the trust users have with the sender.
• March 18, 2005: Locknut.B installs as a phony patch for Series 60 phones, rendering the operating system unusable by preventing any application to launch. It also contains Cabir V, which spreads through Bluetooth.
• April 4, 2005: Fontal.A, a SIS file Trojan, installs a corrupted font file into an infected device, causing it to fail at the next reboot. Fontal.A also damages the application manager so that it cannot be uninstalled, and no new applications can be installed before the phone is disinfected.
• May 9, 2005: Skulls.K replaces the system applications with non-functional versions, drops SymbOS/Cabir.M worm in to the phone, and disables third-party applications that could be used to disinfect it.
• August 26, 2005: Doomboot.B pretends to be a utility that can be used to reboot a phone, but when a user makes use of this application, Doomboot prevents the phone from booting again.
• Sept. 20, 2005: Cardtrap.A, a malicious SIS file Trojan, tries to disable a large number of system, and third-party applications and installs Windows malware on the phone memory card.
• Oct. 30, 2005: Commwarrior.C installs when a user replies to a new SMS or MMS message by opening a Web page using the phone's browser, then tries to change the logo to "Infected by Conmwarrior" (observed on Nokia 660 phones).

Footnotes

¹Sources: CERT, Kaspersky Labs, Symantec, Yankee Group

²Information provided by F-Secure

--

Deb Radcliff is an award-winning freelance writer, educator and speaker based in Northern California. She's been covering online crime and security ever since working as researcher on a book about infamous hacker, Kevin Mitnick back in 1995.