11 November 2009 | 7,554 views

Jailbroken iPhone Users Get Rickrolled

Prevent Network Security Leaks with Acunetix

The ‘big’ news this week was the first self-replicating worm hit the iPhone, it only seemed to be spreading in Australia though and only worked under a specific set of circumstances.

It only effects iPhone users that have jailbroken their phone and have the SSH software installed with a default password of alpine.

Thankfully it’s not particularly malicious unless you are allergic to Rick Astley.

iPhone owners in Australia awoke this weekend to find their devices targeted by self-replicating attacks that display an image of 1980s heart throb Rick Astley that’s not easily removed. The attacks, which researchers say are the world’s first iPhone worm in the wild, target jailbroken iPhones that have SSH software installed and keep Apple’s default root password of “alpine.” In addition to showing a well-coiffed picture of Astley, the new wallpaper displays the message “ikee is never going to give you up,” a play on Astley’s saccharine addled 1987 hit “Never Gonna Give You Up.”

Tricking victims in to inadvertently playing the song has become a popular prank known as Rickrolling. A review of some of the source code, shows that the malware, once installed, searches the mobile phone network for other vulnerable iPhones and when it finds one, copies itself to them using the the default password and SSH, a Unix application also known as secure shell. People posting to this thread on Australian discussion forum Whirlpool first reported being hit on Friday.

A new twist on the rickrolling phenomena at least, and of course the good thing for the rest of the World is that the infection seems to be fairly localized.

To me it’s more of a PoC (Proof of Concept) than anything else, but it is a neat piece of programming and shows what some malicious minds could put together if they wanted to target iPhones.

From the authors perspective he just wants to let people know that if they are gonna mess with their iPhone they better secure their shit.

The attack is a wakeup call for anyone who takes the time to jailbreak an iPhone. While the hack greatly expands the capabilities of the Apple smartphone, it can also make it more vulnerable. Programs such as OpenSSH, which can only be installed after iPhones have undergone the procedure, can be extremely useful, but if owners haven’t bothered to change their root password, the programs also represent a gaping hole waiting to be exploited.

Indeed, a hacker going by the moniker ikee and claiming to be responsible for the worm said here that he wrote the program to bring awareness to the widely followed practice of failing to change the iPhone’s password.

“I was quite amazed by the number of people who didn’t RTFM and change their default passwords,” the unidentified worm writer said. “I admit I probably pissed of [sic] a few people, but it was all in good fun (well ok for me anyway).”

Ikee said the worm disables the SSH daemon so it can’t be targeted further.

And in the true hacker spirit, the worm disables SSH so it can’t get infected again or hacked by anyone else.

It doesn’t takes skills to own the box, it takes skills to stay on the box :)

Source: The Register



Recent in Apple:
- Massive Celeb Leak Brings iCloud Security Into Question
- Apple Retires Support Leaving 20% Of Macs Vulnerable
- Andrew Auernheimer AKA Weev Gets 41 Months Jail Time For GET Requests

Related Posts:
- Untethered Userland Jailbreak For iPhone 3.1.3 & iPad 3.2 Has Arrived
- First Malicious iPhone Worm In The Wild
- JailBreaking AppleTV Running on iOS 4.1 – iPad/iPhone 4 Jailbreak Soon?

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 81,397 views
- Apple Struggling With Security & Malware - 24,069 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,321 views

Low-cost VPS Hosting

5 Responses to “Jailbroken iPhone Users Get Rickrolled”

  1. anon 11 November 2009 at 5:20 pm Permalink

    why does old news consistently get posted here? I think im going to remove this from my rss feeds.

  2. Darknet 11 November 2009 at 5:30 pm Permalink

    anon: Yah I guess if news that broke 3 days ago is old, this aint the site for you :)

  3. Morgan Storey 12 November 2009 at 3:46 am Permalink

    @anon: can’t be new first the time, I saw this at least 6 times in my RSS. Sometimes different sites can show a unique side on an existing story.

  4. 0daySecurity 12 November 2009 at 7:30 am Permalink

    Maybe sometimes it’s not the first site to get the news published but I like the way they comment them.
    Keep up the good work Darknet!

  5. Anon 12 November 2009 at 6:36 pm Permalink

    There are reports now of a tool that runs under Mac/Win/Linux (Python? Perl?) that will scan IP ranges for iPhones with SSH and default pw, then proceed to siphon out the phones email, contacts, sms, photos, videos, applications, etc.

    I’ve been unable to find it … { wink wink }