A new worm affecting Bluetooth cell phone technology has been identified by Finnish security firm F-Secure… and by its Brazilian creator, who claims he does not spread the self-reproducing bug but seems rather pleased to share his work as an open source code.
Marcos Velasco named the bug after himself but F-Secure and other security watchers have named it Lasco.A, Symbos_Vlasco.A, or just the Lasco bug. And its Velasco's public posting of the code that has security experts, er, buggy.
"We think he's dangerous," said F-Secure antivirus research director Mikko Hyppoenen to reporters, "because he publicly posts working mobile malware that any clown anywhere can easily download and use."
"This worm for cellular phones is the first one with available source code in the world," Velasco himself said on a posting at his own Website – called Marcos Velascos Security.
F-Secure first spotted Lasco January 11, but the identity of its author wasn't known for about another week. The bug is not believed to do any substantial harm but it isn't known whether anyone other than antivirus researchers like Hyppoenen have actually downloaded the bug.
Lasco "also (points) to a virus-writing subculture unfazed by multimillion-dollar bounties, international prosecution and an official inclination, after the attacks of September 2001, to characterize virus writers as terrorists," the New York Times wrote about the open posting of Lasco's code.
"Lasco.A replicates over Bluetooth connections and arrives to phone messaging inbox as velasco.sis file that contains the worm," F-Secure said in an analysis of the bug. "When user clicks the velasco.sis and chooses to install the velasco.sis file the worm activates and starts looking for new devices to infect over Bluetooth.
"When Lasco worm finds another Bluetooth device it will start sending copies of velasco.sis file to it, as long as the target phone is in range," the company continued. "Like Cabir.H,Lasco.A is capable of finding a new target, after the first one has gone out of range."
Lasco can also replicate by inserting itself into other .sis files found in the cell phone it invades, F-Secure said, and if they're copied into another device Lasco will start inside the first installation task, asking the user if he or she wants to install Velasco, as the bug identifies itself onscreen.
"Please note that SIS files infected by Lasco.A will not be automatically sent to other devices," F-Secure said. "The only way to get infected by Lasco.A infected file other than the original Velasco.SIS is to manually copy and install it to another device. The Lasco.A is based on the same source as Cabir.H and is very similar to it. The main difference between Cabir.H and Lasco.A is the SIS file infection routine. Please note that Lasco worm can reach only mobile phones that support Bluetooth, and are in discoverable mode."
Hyppoenen was outraged at Velasco's apparent shamelessness in writing the worm and making, apparently, that and others' code freely available from his site, that he wrote a scathing comment for wide Internet distribution.
Velasco is "completely openly writing viruses and making them available from his Website to anyone, anywhere in the world,” Hyppoenen wrote. "Apparently this is not illegal in Brazil. So any kid, any lunatic, any anarchist anywhere can download all his viruses complete with sourcecode and do whatever they want with them.
"And Mr. Velasco has no problem with this. In fact, he has just given an interview about his activities to a Finnish magazine ITViikko. The interview has been published in English on mobilemonday.net. Writing viruses is wrong. Distributing them is even worse. It should be illegal, too."
In that interview, conducted by e-mail, Velasco seemed at least as boastful as Hyppoenen implied.
"I’m a professional programmer. Viruses, hacking and security are my favorites," said Velasco, who published his own version of the earlier, experimental Cabir cell phone worm in December.
“I wanted to demonstrate how the worm works," he continued. "The reason I published the source code was that the anti-virus researchers at Kaspersky did not believe it was mine."
He insisted he does not want to spread his worms or to see them get spread otherwise. But he did admit that publicly-available source code would probably speed up the making of new mobile malware, according to the e-mail interview in question.
“The release of Lasco’s source code will take the virus scene in the cellular world to a totally new level," Velasco said. "Maybe the year 2005 will be remembered as the year of mobile malware.” He also said Lasco would be his final mobile bug. "It's the first real mobile virus," he said, "and that's enough for me."
