Virus writer tests limits in cell phones
A Brazilian software developer has written a virus that takes advantage of Bluetooth.
Computer security experts around the world have given his virus and its variants more toxic-sounding names like "Lasco.A," "Symbos_Vlasco.A" or simply "the Lasco virus." They are also calling it stupid.
"We think he's dangerous," said Mikko Hypponen, the director of antivirus research for a Finnish company, F-Secure, "because he publicly posts working mobile malware that any clown anywhere can easily download and use."
Velasco's creation is essentially a piece of computer code that takes advantage of the short-range radio frequency technology called Bluetooth, which is installed on many common handheld devices, especially cell phones. If a person carrying an infected phone passes someone carrying a Bluetooth phone on the street, Velasco's worm can jump the gap, infecting the second phone.
 | ||
| | |
 For the latest breaking news, visit NYTimes.com Sign up to receive top headlines Get Dealbook, a daily corporate finance email briefing Search the jobs listings at NYTimes.com Search NYTimes.com: | ||
| ||
| ||
Whether anyone beyond antivirus researchers has downloaded Velasco's program is an unanswered question, and industry experts are careful to say that the age of the cell phone virus is not yet upon us.
But Velasco's virus, which appears to do little harm, points not just to the inevitability of more virulent ones aimed at cell phones and other mobile devices, but also to a virus-writing subculture unfazed by multimillion-dollar bounties, international prosecution and an official inclination, after the attacks of September 2001, to characterize virus writers as terrorists.
For Velasco--as with many virus enthusiasts who operate in a murky area of the law--the objective is not malice, but about testing theories, solving puzzles or just free expression. From his home in Volta Redonda, a steel-making city west of Rio de Janeiro, Velasco runs a small software development company, dotes on his collection of 104 aging computers (which he says he may open to the public one day), and dreams of writing a book on viruses.
"Security, hacking and viruses are all hobbies to me," he said in an e-mail interview. "I like this area a lot."
In the last few weeks, Velasco's worms have been cataloged in all the major encyclopedias maintained by antivirus companies--from Symantec in Cupertino, Calif., to the Kaspersky Lab in Moscow and Trend Micro, based in Tokyo. All classify the virus, like the four or five other known mobile viruses that have emerged over the last year, in the relatively benign "proof of concept" category, meaning that it is currently a low-level threat.
Indeed, Velasco's worm carries no malicious payload. Still, it represents a significant improvement of sorts over what was largely viewed as the first cell phone virus, called Cabir, thought to have been developed last summer by an international virus-writing collective known as "29A."
Cabir, which also took advantage of Bluetooth technology, was able to sniff out other active Bluetooth devices and, if it found one in the typical
transmission range of about 11 yards, a user of the receiving device would see a cryptic installation message. If they unknowingly accepted, the virus would have successfully propagated. But Cabir was limited to one "jump" for each boot-up, not the most efficient way to spread.Velasco repaired that shortcoming and published the improved version on his Web site in December. Then he recompiled the source code to come up with more polished variations that could both exploit the Bluetooth protocol and burrow into a device's system files--waiting to be uploaded by other means, via memory cards or cable links, for instance. Then he posted those, too.
"These are real viruses and they work well," Hypponen of F-Secure said. "Almost too well. Velasco's Cabirs are actually much more virulent than the original Cabirs made by 29A, and the Lasco.A virus by him is the first mobile phone virus infecting installation files."
All the Cabir and Lasco variants aim at devices using a version of the Symbian operating system, which is collectively owned and licensed by companies including Nokia, Ericsson and Samsung. Symbian is one of the three major platforms, along with Microsoft's PocketPC and the PalmSource OS, now competing for dominance in the mobile market.
Until recently, the much-discussed but little-seen mobile phone virus had been hampered by the relatively small market penetration of truly "smart" devices--less than 5 percent of the mobile market over all, according to the research firm Canalys. Smart devices are those that marry data-rich (and virus-vulnerable) services like Web browsing, scheduling, e-mail and text messaging, as well as plain old phone service. And the variety of platforms and interfaces running on these machines has thus far rendered them something of a moving target for would-be writers of malicious code.
"Today, everything is still sort of scattered across Symbian, Blackberry, Palm, PocketPC," said John Pescatore, an Internet security analyst at Gartner, which advises companies on the global information technology industry. "One virus can't possibly hit all the phones; not even 20 percent of the phones."
But Symbian-based devices made big gains in the mobile market in 2004, according to data compiled by Canalys. In the third quarter of 2003, the three major platforms each made up about a third of all smart mobile shipments. In the 2004 quarter, Symbian-based devices grew to half of all new shipments. And on Wednesday, Symbian announced its entry, along with PalmSource, into the Open Mobile Terminal Platform group, an organization of mobile phone operators that seeks to bring more interoperability and consistency to the forest of mobile devices on the market.
These are the kinds of preconditions--market penetration, uniformity--that, according to Pescatore, will be needed to pique the interest of would-be scammers, hackers and virus writers. And in that sense, Velasco's exploits are something of an early object lesson.
"We've told our enterprises," Pescatore said, "that 2005 is the year to start planning how to prevent this," adding that the real threat will come if virus technicians figure a way to reliably deliver payloads not via the short-distance radio frequencies used by Bluetooth, but by raining them down through the cellular networks. "That would be a much bigger problem, and a much harder solution," he said.
For now, though, the problem is only about as big as Velasco--though for many, that is big enough.
Other antivirus companies that have downloaded Velasco's creation and tested it in their labs corroborate the basic functioning of the worm. And while they, too, see it as a relatively benign bit of code in its own right, it suggests the potential for more aggressive worms that might destroy or steal data, generate hidden and expensive phone calls, or render a mobile device inoperable.
"It's not healthy for anyone to do this sort of thing," said Todd Thiemann, director of device security marketing at Trend Micro. "We need to be measured and not say the sky is falling. But this signals that this is what is possible. That's the real risk from this publication."
All the major antivirus vendors offer an inoculation for the Lasco virus on their Web sites--as does Velasco himself. And for those inclined to worry if their phones might catch a strain of the Velasco flu from infected passers-by, the advice is simple: keep your Bluetooth service disabled until you need it, and do not accept any unknown offers to install anything.
"It's all fairly common-sense stuff," said Keith Nowak, a spokesman for Nokia, who said that representatives of the company in Brazil were aware of Velasco's Web site and that they were planning to contact him--gently.
"We're not into strong-arm tactics," Nowak said. "And we don't want to get in the way of the free exchange of ideas. But with malware, in the spirit of open communication, we might get in touch and say, 'Hey, this isn't a good thing.' "
Still, if Velasco is not much intimidated by Microsoft's $5 million bounty on the heads of several prominent virus writers, which the company began offering in 2003, nor by the arrest of several worm code writers last year--including Sven Jaschan, a German suspected of launching the disruptive Sasser and Netsky worms--it seems unlikely that he will respond to gentle prodding.
"I don't publish viruses to cause a panic," he said. "I only publish to spread knowledge."
And he added, "I don't think knowledge should be punished."
Entire contents, Copyright © 2005 The New York Times. All rights reserved.