First Malicious iPhone Worm In The Wild


It’s a little less than 2 weeks since the Jailbroken iPhone Users Got Rickrolled and as I thought a similar worm has been seen in the wild – but this time with malicious intent.

As the rickrolling incident showed, even the more savvy users that jailbreak their phones neglect to change the default SSH password meaning they can easily be rooted…and well this new worm is doing just that.

The user as usual is the weak link here, it’s not a true exploit – just an unchanged default password.

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.

The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number.

“A number of customers with jailbroken phones have been found running unknown software on their phones which is trying to compromise other iPhone users at other telecommunications providers,” the XS4ALL advisory stated. “XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security.”

It’s quite smart, after installing itself it’ll change the root password (from my point of view to stop it getting reinfected and b0rked) and also to make it harder for the phone user to take back control.

I think it’s the first time I’ve seen a mobile device be infected and hooked up to a botnet, I thought it might happen with consoles before..but now with mobile 3G/3.5G Internet and powerful CPUs in mobile phones the next big thing might be botnets running on iPhones, Android and Symbian devices.

The worm has the ability to pillage SMS databases, and an analysis by Security.nl (English translation here) has identified a script that looks for mobile transaction authentication numbers used by some banks to perform two-factor authentication with SMS-based systems. (Sophos also has analysis here.)

The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread, F-Secure said Sunday.

The attacks come two weeks after a separate piece of self-replicating code caused iPhones mostly located in Australia to display images of Rick Astley, the schmaltzy 1980s pop singer. The most recent outbreak appears to be the first instance of malicious iPhone malware spreading in the wild.

So do your friends a favour and tell anyone with a jailbroken iPhone to change the default SSH password to something else! Just doing that will save them from the current crop of threats.

I wonder what else will come of this, will it become a widespread infection of jailbroken iPhone users? Will it reach every continent?

Over here in asia iPhones are fairly popular, but not hugely so like in the US. I’d say if there’s anywhere ripe for some iPhone mayhem it would be America.

Source: The Register

Posted in: Apple, Exploits/Vulnerabilities, Malware

, , , , , , , ,


Latest Posts:


dSploit APK Download - Hacking & Security Toolkit For Android dSploit APK Download – Hacking & Security Toolkit For Android
dSploit APK Download is a Hacking & Security Toolkit For Android which can conduct network analysis and penetration testing activities.
Scallion - GPU Based Onion Hash Generator Scallion – GPU Based Onion Hash Generator
Scallion is a GPU-driven Onion Hash Generator written in C#, it lets you create vanity GPG keys and .onion addresses (for Tor's hidden services).
WiFi-Dumper - Dump WiFi Profiles and Cleartext Passwords WiFi-Dumper – Dump WiFi Profiles and Cleartext Passwords
WiFi-Dumper is an open-source Python-based tool to dump WiFi profiles and cleartext passwords of the connected access points on a Windows machine.
truffleHog - Search Git for High Entropy Strings with Commit History truffleHog – Search Git for High Entropy Strings with Commit History
truffleHog is a Python-based tool to search Git for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed.
AIEngine - AI-driven Network Intrusion Detection System AIEngine – AI-driven Network Intrusion Detection System
AIEngine is a next-generation interactive/programmable Python/Ruby/Java/Lua and Go AI-driven Network Intrusion Detection System engine with many capabilities.
Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.


3 Responses to First Malicious iPhone Worm In The Wild

  1. Morgan Storey November 25, 2009 at 3:19 am #

    They are popular here in Australia, I would say 1 in 5 people I see have one.
    Here is a better tip, tell your friends not to buy badly made vendor locked in Apple junk. Of course this exploit would still work with a cracked Android with SSH running and the same password but the last dropbear SSH server install I saw made you set the password at login. Not the now infmous Alpine across the board.

  2. Fernando Alvirez November 26, 2009 at 10:18 pm #

    Quote:”… tell your friends not to buy badly made vendor locked in Apple junk”. Those are harsh words, not sure if really justified. Either way, nothing is secure anymore.

  3. Morgan Storey November 26, 2009 at 10:43 pm #

    @ Fernando Alvirez: I agree no computer or complex technology is secure, except the old addage a computer buried deap below the earth surrounded by a few feet of concrete, not plugged into anything.
    I am harsh on apple because they always make the biggest security blunders, indoctrinating their users to not worry about Viruses cause you have a mac, releasing updates long after they have been weaponised, setting the same root password on a device that is widely deployed, vendor lock-ins that would make MS blush, and the worst bit: I enjoy using Linux but when I used to support Mac’s they had removed half the useful and default commands.
    I am all for right tool for the right job, I have admin’ed Windows, Linux, BSD, Varying Unix systems and MacOS. But I feel there is no job that can justify a Mac.