MMS Virus Blocking

Topic Keywords: operator MMSC

Various public reports have discussed the potential for viruses to be spread via MMS. To date, most of the identified viruses have targeted Nokia Series 60 (and potentially other Symbian) phones.

NowSMS v5.51b – March 2005

In March 2005, NowSMS v5.51b was released, which included a configuration option intended to help prevent the spread of viruses via MMS when NowSMS is used as the MMSC.

The text of the March 11, 2005 statement follows:

Public reports have identified a virus that can be spread via MMS on Nokia Series 60 (and potentially other Symbian) phones.

We have not received any confirmed reports of customers encountering this virus, however we take the current published reports seriously, and believe that there is a potential risk for additional variants of the current virus threat.

The current virus is known as “CommWarrior”. It spreads as an infected Symbian application that is attached to an MMS message.

The recipient receives a message with a subject such as one of the following:

Norton AntiVirus Released now for mobile, install it!

Nokia ringtoner Nokia RingtoneManager for all models.

Security update #12 Significant security update. See www.symbian.com

The user is then presented with an option to “Install CommWarrior?”. (And it is likely that the user will have to make an additional selection to confirm that they wish to install the application.)

If the user selects yes, then the CommWarrior application is installed on the Series 60/Symbian device. Of course, CommWarrior is actually a virus which after some delay, sends out infected MMS messages to other users in the individual’s address book.

End users need to show discretion in installing any applications that they receive unsolicited. However, it is likely that some naive users will install the application allowing the virus to spread.

This virus specifically targets handsets that are using the Symbian OS, including Nokia Series 60 phones such as the 7610, 6600, 3650, 6260, and 7650. It cannot infect other types of handsets. And it can only infect a Symbian handset if the user elects to install the application that they received unsolicited in the MMS message.

If you have received an MMS message that prompted you to install an unknown application, especially CommWarrior, and you mistakenly installed the application on your phone, then you should take steps to remove the virus from your phone. For additional information on this current virus threat, and links to anti-virus vendors, see http://www.electricnews.net/news.html?code=9592732

For customers who are using NowSMS as an MMSC, we are presenting a security update to NowSMS which can block the delivery of executable attachments to MMS messages for any subscribers to the NowSMS MMSC (“MMSC Users”). Please note that this update is only relevant for configurations where NowSMS is being used as an MMSC in a somewhat public environment (such as an operator MMSC deployment).

Please see https://nowsms.com/discus/messages/53/8153.html for a complete list of changes in this update for the Now SMS & MMS Gateway v5.51. That thread also contains a link for the download.

The following text describes the new feature that is used to block the delivery of executable attachments to MMS messages.

MMSC: Add configuration option to block certain MIME types from being delivered to an MMS recipient when NowSMS is acting as the MMSC. This option is being implemented primarily to deal with potential MMS virus threats, where infected Symbian applications are being spread to Nokia Series 60 phones through MMS. To block executable MIME types, create a file named MMSBLOCK.TXT in the NowSMS program directory. In this file, list one MIME content type per line, specifying content types to be blocked. We recommend the following entries in this file to prevent Symbian and Java executables from being distributed via MMS:

• application/vnd.symbian.install
• application/java-archive
• application/x-java-archive
• text/vnd.sun.j2me.app.descriptor

This functionality requires that “Dynamic Image + Audio Conversion” be enabled for the MMSC.

NowSMS 2006 – March 2006

In the past year, since the release of the feature that could be used to help prevent the spread of MMS viruses when NowSMS is used as the MMSC, we have re-evaluated the technique that was originally introduced in NowSMS v5.51b (March 2005).

While the technique did help prevent the spread of a virus being distributed via MMS, it did not consider that most of these types of viruses are spread via multiple protocols. Many mobile viruses attempt to spread via Bluetooth, with MMS used as a secondary channel. When a phone becomes infected by a virus via Bluetooth, often the virus will then scan the contact list of the newly infected phone, and send attempt to send itself out to that phone’s contact list via MMS. The NowSMS virus blocking efforts described above will prevent the virus from being spread. However, there are limitations of this solution:

1.) The infected user still sends an MMS message out to all of their contacts. NowSMS only strips the executable component that contains the virus out of the message. While the virus is not spread, the infected user may still be charged for all of the MMS messages that were sent by the virus.

2.) The virus blocking feature relies on the “Dynamic Image + Audio Conversion” option being enabled in the MMSC, which is not desirable for all configurations.

3.) Trusted Value Added Service providers are unable to distribute any executable content via MMS.

Effective with the initial release of NowSMS 2006, the way in which the MMSBLOCK.TXT file is implemented has been changed to address these concerns.

Now, whenever an MMS message is submitted to the MMSC via MM1, MM4, or SMTP (MM3), NowSMS examines the message to determine if the message contains any content that is in the blocked list. For MM1 submissions, the MMSC will refuse to accept the message, so that the user will not be charged for the attempt. For MM4 and SMTP connections, the MMSC will process the message, but will skip any content that is in the blocked list.

The intent is to block the spread of viruses that are transmitted user to user. MM7 connections are allowed to send content of the content types that are defined in the MMSBLOCK.TXT file.