Ten Years Later, Cabir Worm’s Place in History is Unique

It’s difficult to remember now–and seems quaint even if you can recall it–but there was a time in the not-so-distant past when industry analysts and security experts were worried about the coming mobile malware apocalypse. Self-replicating malware would soon be flooding our phones, deleting our coveted ringtones and preventing us all from playing Snake.

Mobile phones were considered the next great computing platform, and it was only natural to think that attackers would follow users’ lead and move their wares their, as well. As it turns out, smartphones have indeed become a major part of the computing landscape, with many users doing much, if not all, of their online activities on their phones. And attackers wasted no time in taking advantage of that shift, preying on the mobile app model and the coming wave of mobile payments.

However, what never materialized is the kind of mobile malware that had experts so worried a decade ago. It’s been 10 years now since the first native mobile virus, Cabir, appeared on the scene, and it was that worm that helped spread the fear of widespread smartphone viruses. Cabir was discovered in June 2004, and much of what followed was slightly weird and off-kilter.

The worm wasn’t discovered in the wild, but instead showed up in the email inbox Kaspersky Lab had set up to collect new virus samples. Analysts began taking the code apart and noticed right away that the malware wasn’t meant for PCs, something that initially confused them. What good was a piece of malware if it couldn’t infect computers?

What good was a piece of malware if it couldn’t infect computers?

“A quick analysis showed that it was an application for Symbian OS and also an installer archive containing other files. As a rule, virus analysts deal with files created for traditional x86 processors. The files in caribe.sis were applications for ARM, processors which are used in a range of devices, including mobile phones,” Alex Gostev of Kaspersky wrote in an analysis a couple of years later, looking back on the incident.

“Initially, we knew very little about the machine language used by that processor, but within a few hours our analysts had managed to familiarize themselves with it. The purpose of the files was then clear: this was a worm for mobile phones which spread via Bluetooth. Our conclusions were fully confirmed the next day when we tested the worm on a Nokia N-Gage telephone running Symbian.”

As if being written for a mobile platform wasn’t interesting enough, Cabir also had some other oddities. Namely, it didn’t seem to do anything. Most malware is designed to steal information, delete data or some combination of the two. Cabir did neither one, but instead simply tried to find other nearby devices and spread via the then-nascent Bluetooth technology. Once on a new device, it displayed the word “caribe” on the screen and would do so each time the phone was restarted. The worm had no malicious intent, but instead appeared to be a show of force, proof that someone out there know how to do this.

Malware experts never really doubted that part; after all, virus writers had proven themselves to be nothing if not resilient and resourceful over the years. But for the malware authors, a key piece of the puzzle was still missing: a reason to care about the mobile platform.

Apple would supply that reason almost exactly three years later with the release of the original iPhone. As the company’s formidable marketing machine went into top gear to push the iPhone, consumers lined up for blocks to get their hands on the shiny touchscreen computers, a scene that would repeat roughly once a year with each new release. And the devices were computers, with powerful processors, a built-in app ecosystem, and most importantly for the attacker community, lots of memory. And that memory could be used to store plenty of valuable data, things like corporate email with big fat attachments, financial documents and virtually anything else the user cared to keep on board.

The iPhone, and the Android devices that quickly followed in its tracks, also came equipped with lots of communications options, including Bluetooth and WiFi, giving people the ability to use them as their main computing devices. And so they did. Which meant massive amounts of valuable information suddenly flying through the air just waiting to be intercepted. Attackers quickly set about the task of finding ways to exploit this new platform, and it didn’t take long for their focus to sharpen on the app model. Developers were pushing thousands of new apps into the ecosystem every month, many of them with little thought about security, which led to the predictable problem of vulnerable apps, Trojaned apps and eventually outright malicious apps. Apple and Google have been fighting this problem ever since.

But the feared waves of self-replicating mobile malware never emerged. There have been other pieces of malware to follow Cabir’s lead in the years since it debuted, but the attacker community learned quickly that there wasn’t much profit in that model. The real money is to be found stealing data and intercepting sensitive communications, so all of the action has shifted to finding creative new ways to accomplish those tasks, whether through malicious apps or some other method.

Cabir’s place in history as the first mobile phone virus is secure, and with the perspective of time, it can be seen for what it was: not the origin of a species, but a mutation that would soon wither and die.

Suggested articles