Jailbroken iPhone Users Get Rickrolled

Find your website's Achilles' Heel


The ‘big’ news this week was the first self-replicating worm hit the iPhone, it only seemed to be spreading in Australia though and only worked under a specific set of circumstances.

It only effects iPhone users that have jailbroken their phone and have the SSH software installed with a default password of alpine.

Thankfully it’s not particularly malicious unless you are allergic to Rick Astley.

iPhone owners in Australia awoke this weekend to find their devices targeted by self-replicating attacks that display an image of 1980s heart throb Rick Astley that’s not easily removed. The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling. A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

A new twist on the rickrolling phenomena at least, and of course the good thing for the rest of the World is that the infection seems to be fairly localized.

To me it’s more of a PoC (Proof of Concept) than anything else, but it is a neat piece of programming and shows what some malicious minds could put together if they wanted to target iPhones.

From the authors perspective he just wants to let people know that if they are gonna mess with their iPhone they better secure their shit.

The attack is a wakeup call for anyone who takes the time to jailbreak an iPhone. While the hack greatly expands the capabilities of the Apple smartphone, it can also make it more vulnerable. Programs such as OpenSSH, which can only be installed after iPhones have undergone the procedure, can be extremely useful, but if owners haven’t bothered to change their root password, the programs also represent a gaping hole waiting to be exploited.

Indeed, a hacker going by the moniker ikee and claiming to be responsible for the worm said here that he wrote the program to bring awareness to the widely followed practice of failing to change the iPhone’s password.

“I was quite amazed by the number of people who didn’t RTFM and change their default passwords,” the unidentified worm writer said. “I admit I probably pissed of [sic] a few people, but it was all in good fun (well ok for me anyway).”

Ikee said the worm disables the SSH daemon so it can’t be targeted further.

And in the true hacker spirit, the worm disables SSH so it can’t get infected again or hacked by anyone else.

It doesn’t takes skills to own the box, it takes skills to stay on the box :)

Source: The Register


Posted in: Apple, Exploits/Vulnerabilities, Malware

, , , , , , , , , , , , ,

Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,030 views
- Apple Struggling With Security & Malware - 24,140 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,964 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


5 Responses to Jailbroken iPhone Users Get Rickrolled

  1. anon November 11, 2009 at 5:20 pm #

    why does old news consistently get posted here? I think im going to remove this from my rss feeds.

  2. Darknet November 11, 2009 at 5:30 pm #

    anon: Yah I guess if news that broke 3 days ago is old, this aint the site for you :)

  3. Morgan Storey November 12, 2009 at 3:46 am #

    @anon: can’t be new first the time, I saw this at least 6 times in my RSS. Sometimes different sites can show a unique side on an existing story.

  4. 0daySecurity November 12, 2009 at 7:30 am #

    Maybe sometimes it’s not the first site to get the news published but I like the way they comment them.
    Keep up the good work Darknet!

  5. Anon November 12, 2009 at 6:36 pm #

    There are reports now of a tool that runs under Mac/Win/Linux (Python? Perl?) that will scan IP ranges for iPhones with SSH and default pw, then proceed to siphon out the phones email, contacts, sms, photos, videos, applications, etc.

    I’ve been unable to find it … { wink wink }