First Malicious iPhone Worm In The Wild


It’s a little less than 2 weeks since the Jailbroken iPhone Users Got Rickrolled and as I thought a similar worm has been seen in the wild – but this time with malicious intent.

As the rickrolling incident showed, even the more savvy users that jailbreak their phones neglect to change the default SSH password meaning they can easily be rooted…and well this new worm is doing just that.

The user as usual is the weak link here, it’s not a true exploit – just an unchanged default password.

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.

The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number.

“A number of customers with jailbroken phones have been found running unknown software on their phones which is trying to compromise other iPhone users at other telecommunications providers,” the XS4ALL advisory stated. “XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security.”

It’s quite smart, after installing itself it’ll change the root password (from my point of view to stop it getting reinfected and b0rked) and also to make it harder for the phone user to take back control.

I think it’s the first time I’ve seen a mobile device be infected and hooked up to a botnet, I thought it might happen with consoles before..but now with mobile 3G/3.5G Internet and powerful CPUs in mobile phones the next big thing might be botnets running on iPhones, Android and Symbian devices.

The worm has the ability to pillage SMS databases, and an analysis by Security.nl (English translation here) has identified a script that looks for mobile transaction authentication numbers used by some banks to perform two-factor authentication with SMS-based systems. (Sophos also has analysis here.)

The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread, F-Secure said Sunday.

The attacks come two weeks after a separate piece of self-replicating code caused iPhones mostly located in Australia to display images of Rick Astley, the schmaltzy 1980s pop singer. The most recent outbreak appears to be the first instance of malicious iPhone malware spreading in the wild.

So do your friends a favour and tell anyone with a jailbroken iPhone to change the default SSH password to something else! Just doing that will save them from the current crop of threats.

I wonder what else will come of this, will it become a widespread infection of jailbroken iPhone users? Will it reach every continent?

Over here in asia iPhones are fairly popular, but not hugely so like in the US. I’d say if there’s anywhere ripe for some iPhone mayhem it would be America.

Source: The Register

Posted in: Apple, Exploits/Vulnerabilities, Malware

, , , , , , , ,


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


3 Responses to First Malicious iPhone Worm In The Wild

  1. Morgan Storey November 25, 2009 at 3:19 am #

    They are popular here in Australia, I would say 1 in 5 people I see have one.
    Here is a better tip, tell your friends not to buy badly made vendor locked in Apple junk. Of course this exploit would still work with a cracked Android with SSH running and the same password but the last dropbear SSH server install I saw made you set the password at login. Not the now infmous Alpine across the board.

  2. Fernando Alvirez November 26, 2009 at 10:18 pm #

    Quote:”… tell your friends not to buy badly made vendor locked in Apple junk”. Those are harsh words, not sure if really justified. Either way, nothing is secure anymore.

  3. Morgan Storey November 26, 2009 at 10:43 pm #

    @ Fernando Alvirez: I agree no computer or complex technology is secure, except the old addage a computer buried deap below the earth surrounded by a few feet of concrete, not plugged into anything.
    I am harsh on apple because they always make the biggest security blunders, indoctrinating their users to not worry about Viruses cause you have a mac, releasing updates long after they have been weaponised, setting the same root password on a device that is widely deployed, vendor lock-ins that would make MS blush, and the worst bit: I enjoy using Linux but when I used to support Mac’s they had removed half the useful and default commands.
    I am all for right tool for the right job, I have admin’ed Windows, Linux, BSD, Varying Unix systems and MacOS. But I feel there is no job that can justify a Mac.