Have you ever wondered what malware looks like? Wonder no more.
Remember Caribe, the infamous worm which infects cell phones running Symbian OS and propagates via Bluetooth? I remember it because my former flatmate had his Nokia phone infected with it (that was back in 2005). Caribe’s source code can be found here. Note that the worm’s source code was published long ago, so this is not exactly news for the experts. It’s news to me because I had never seen a worm’s source code before, so I found it interesting.
Caribe is written in C++. I have skimmed the code rapidly, and my first impressions were:
- there’s some rather low-level stuff, as expected.
- the authors did not sign their code, as expected.
- the authors did not comment the code much, which makes it hard(er) to read. But then, I suppose that writing malware is not exactly like collaborating on Open Source Software projects, right? You don’t want people to be able to read the code, so there’s no need to make it very readable.
To whet your curiosity, here’s a snippet of code (from file caribebt.cpp):
int CaribeBluetooth::FindDevices() {
_LIT(KL2Cap, "BTLinkManager");
int res;
if((res = socketServ.Connect()) != KErrNone) {
//ErrMessage("Error Connect");
return 0;
}
if((res = socketServ.FindProtocol((const TProtocolName&)KL2Cap,pInfo))!=KErrNone) {
//ErrMessage("Error FindProtocol");
socketServ.Close();
return 0;
}
if((res = hr.Open(socketServ,pInfo.iAddrFamily,pInfo.iProtocol))!=KErrNone) {
//ErrMessage("Error Open");
socketServ.Close();
return 0;
}
WithAddress = 0;
addr.SetIAC(KGIAC);
addr.SetAction(KHostResInquiry);
TRequestStatus iStatusIn;
hr.GetByAddress(addr, entry, iStatusIn);
User::WaitForRequest(iStatusIn);
if(iStatusIn!=KErrNone) {
//ErrMessage("Error Finding Devices");
} else {
WithAddress = 1;
}
socketServ.Close();
//hr.Close();
return 0;
}
Each time the infected cell phone is switched on, the Caribe worm scans the list of active Bluetooth connections. The worm will then select the first active connection shown and will attempt to send its main file, caribe.sis, to this device. The directory SYMBIANSECUREDATA which the worm creates is hidden and cannot be seen by the user of the infected cell phone. Even if the worm file is deleted from the APPS directory, the worm will continue to be active in the system.
(via Errata Security and Offensive Computing)
-/-
Disclaimer #1: please do note that I do NOT advocate the development of malware. The reason I wrote this post is simple: I believe that understanding how malware works is the best way to fight it (”know thy enemy”).
Disclaimer #2: please keep in mind that I am NOT affiliated in ANY way with the guys who created the Caribe worm. I do NOT know them. I do NOT endorse their actions.
Disclaimer #3: should you download the source code, remember that you’re doing so at your own peril. First of all, your anti-virus will detect the presence of malware in the downloaded file and will ask you what to do with it. I am not responsible for what you do with your computer. If you don’t know much about software, don’t download the source code, period. You probably would not understand the source code anyway.
Tags: Bluetooth, C++, Cplusplus, Cpp, Malicious Software, Malware, Software, Source Code, Symbian
June 30, 2008 at 12:53 am |
I don’t think antivirii can detect malicious code.
June 30, 2008 at 12:59 am |
Hey Alex,
You are right. They can’t.
I did not explain myself clearly: the source code I downloaded (the same I link to) comes in a ZIP file. That ZIP file contains not just the source code (.cpp and .h files), but also the binary file caribe.sis, which is the worm itself. I should have explicitly mentioned it. Sorry.
July 2, 2008 at 9:03 pm |
That’s about as vanilla a connection routine as I’ve ever seen. It’s not even very persistent.
July 2, 2008 at 9:25 pm |
@ David
Yeah, it’s not a very impressive piece of code. Vanilla indeed.