Smart-phone worm has a hang-up

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

As previously reported, the so-called Cabir worm is written for the Symbian operating system, the OS used in a majority of smart phones--devices that combine the features of a cell phone and a personal digital assistant. The worm's creators sent a copy of it to antivirus researchers Monday, and it's not yet known if the program has made its way to the general public.

Some researchers initially thought Cabir would automatically run on phones based on the Symbian OS, but an analysis of the program has changed that assessment. In order for the worm to spread, said Kevin Hogan, senior manager for security company Symantec, the user of a targeted phone has to approve of a download from an unknown source.

"The way in which (this worm) replicates itself will severely limit its spread, even if (the worm) was to be made public," Hogan said. "It is not relying on a vulnerability in the operating system; it is relying on the underlying vulnerability of the person who is using" the OS.

To propagate, the worm has to clear three hurdles, Hogan said. First, the target device's user must allow the infected phone to connect to the target device through the Bluetooth wireless protocol. Then, the potential victim must accept the data for download. Finally, the user has to agree to install the application.

"We still haven't seen this thing in the wild," Hogan said. "So far, it is what we call a 'zoo virus'--it is only in the hands of researchers and the person that wrote it."

While the worm is not likely to spread, antivirus companies warned that other virus writers may use it as a departure point for their own development, placing the digital code at the beginning of a chain of evolution that could result in an actual threat to users of smart phones.

"We see it as a pretty significant step forward," said Vincent Gullotto, vice president of Network Associates' antivirus emergency response team. Two other minor variants of the program, which remove extraneous code, have appeared already, he said.

"The saving grace is that you have to accept the program, it just doesn't show up on your machine," Gullotto said.

Cabir uses components of Nokia's Series 60 development platform, a platform used not only by Nokia but also by other major smart phone manufacturers, including Siemens, Samsung, Sendo and Panasonic. Symantec and other antivirus companies confirmed that, theoretically, the worm could spread between Nokia Series 60 phones running Symbian 6.1 or higher. Security company Network Associates found that the program could infect a Nokia 6600 phone.

Representatives of Symbian and Nokia were not immediately available for comment.

Are security companies ahead of hackers?

Even if Cabir could spread quickly, it might not gain much traction because smart phones still have not taken off, especially in the United States. Symbian's operating system currently dominates the smart-phone market, which remains small, representing only a thin slice of the more than 1 billion cell phones in circulation. The Symbian OS is expected to battle a similar product from Microsoft for the lead in the operating system market through the end of the decade.

Threats like the Cabir worm could be further stymied by Symbian Signed, a new campaign that will require all applications for the Symbian platform to be digitally signed, attesting that the company has looked at the code. Users could refuse to install any unsigned applications.

Cabir doesn't have a destructive payload, but it constantly scans for other Bluetooth devices it can target, severely shortening the battery life of any system it's already infected, according to Symantec's analysis.