Some thoughts about Bluetooth and Cabir spreading

	SecurityReason
News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

	WLB
WLB Database

Send to WLB

About WLB

	RSS
News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

	Corporate
Contact

About us

	Services
SecurePHP


	Note
If you have found a vulnerability, please send to our SecurityAlert Database : secalert()securityreason()com Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive : exploit()securityreason()com

News from: Virus

» Topic: Some thoughts about Bluetooth and Cabir spreading

» Added by: sp3x

» Date: 17.9.2005

Lately there has been discussion in some medias, that point out that the mobile worms that we have seen are nothing but hype and no one in their right mind would get infected with something as simple as Cabir or Commwarrior.

As all currently known Symbian trojans and worms display several warnings, it would be easy to blame any user who got phone infected being stupid or ignorant. However when starting to investigate why people get infected by Cabir and other Bluetooth worms, it turns out that the explanation is not as simple as one would think.

Firstly there are several Symbian software that require Bluetooth to be visible in order to work properly. And some of them either switch on the Bluetooth without asking from the user, or display activation question in such manner that user is likely to answer yes.

Then there are several social networking applications that use Bluetooth such as YOU-WHO and CrowdSurfer. Which enable people to use Bluetooth for social networking and gaming, thus lowering the bar for accepting any connections and files from unknown persons.
And there even is an art project, that is based on searching Bluetooth devices that are visible and contacting people.

And finally most Cabir variants are quite aggressive in spreading, and keep sending the Bluetooth connection requests, even when user clicks no to them. Thus potentially causing the user to get frustrated to these requests and start clicking yes to all questions.

To demonstrate this effect, we have shot videos of Cabir bombarding another phone, and commwarrior trying to hit all the phones it sees at the same moment.

A video of Cabir infecting another phone (WMV 17.2MB file) :

http://www.f-secure.com/weblog/archives/Cabir_infection.wmv

A video of Commwarrior trying to connect several phones at the same time (1654k file) :

http://www.f-secure.com/weblog/archives/Commwarrior_connection_request.wmv

On the other news, we added description for SymbOS/Doomboot.D a very close variant to Doomboot.C. Doomboot.D is otherwise minor case, except that it contains real pictures of Angelina Jolie, so it might spread among people who download illegal content.

Also we have updated the list of Commwarrior sightings.

1. Ireland
2. India
3. Oman
4. Italy
5. Philippines
6. Finland
7. Greece
8. South Africa
9. Malaysia
10.Austria
11.Brunei
12.Germany
13.USA
14.Canada
15.UK
16.Romania
17.Poland
18.Russia

Source : f-secure.com

	Alert
Microsoft VISTA TCP/IP stack buffer overflow - 2008-11-27 Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.


	Apache
» Apache Tomcat information disclosure

» Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

» Apache Tomcat information disclosure vulnerability

» Apache Tomcat XSS vulnerability



	PHP
» PHP 5.2.6 dba_replace() destroying file

» PHP 5.2.6 (error_log) safe_mode bypass

» PHP 5.2.6 chdir(),ftok() (standard ext) safe_mode bypass

» PHP 5.2.6 posix_access() (posix ext) safe_mode bypass