It’s a little less than 2 weeks since the Jailbroken iPhone Users Got Rickrolled and as I thought a similar worm has been seen in the wild – but this time with malicious intent.
As the rickrolling incident showed, even the more savvy users that jailbreak their phones neglect to change the default SSH password meaning they can easily be rooted…and well this new worm is doing just that.
The user as usual is the weak link here, it’s not a true exploit – just an unchanged default password.
A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.
The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number.
“A number of customers with jailbroken phones have been found running unknown software on their phones which is trying to compromise other iPhone users at other telecommunications providers,” the XS4ALL advisory stated. “XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security.”
It’s quite smart, after installing itself it’ll change the root password (from my point of view to stop it getting reinfected and b0rked) and also to make it harder for the phone user to take back control.
I think it’s the first time I’ve seen a mobile device be infected and hooked up to a botnet, I thought it might happen with consoles before..but now with mobile 3G/3.5G Internet and powerful CPUs in mobile phones the next big thing might be botnets running on iPhones, Android and Symbian devices.
The worm has the ability to pillage SMS databases, and an analysis by Security.nl (English translation here) has identified a script that looks for mobile transaction authentication numbers used by some banks to perform two-factor authentication with SMS-based systems. (Sophos also has analysis here.)
The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread, F-Secure said Sunday.
The attacks come two weeks after a separate piece of self-replicating code caused iPhones mostly located in Australia to display images of Rick Astley, the schmaltzy 1980s pop singer. The most recent outbreak appears to be the first instance of malicious iPhone malware spreading in the wild.
So do your friends a favour and tell anyone with a jailbroken iPhone to change the default SSH password to something else! Just doing that will save them from the current crop of threats.
I wonder what else will come of this, will it become a widespread infection of jailbroken iPhone users? Will it reach every continent?
Over here in asia iPhones are fairly popular, but not hugely so like in the US. I’d say if there’s anywhere ripe for some iPhone mayhem it would be America.
Source: The Register