First Malicious iPhone Worm In The Wild

It’s a little less than 2 weeks since the Jailbroken iPhone Users Got Rickrolled and as I thought a similar worm has been seen in the wild – but this time with malicious intent.

As the rickrolling incident showed, even the more savvy users that jailbreak their phones neglect to change the default SSH password meaning they can easily be rooted…and well this new worm is doing just that.

The user as usual is the weak link here, it’s not a true exploit – just an unchanged default password.

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.

The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number.

“A number of customers with jailbroken phones have been found running unknown software on their phones which is trying to compromise other iPhone users at other telecommunications providers,” the XS4ALL advisory stated. “XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security.”

It’s quite smart, after installing itself it’ll change the root password (from my point of view to stop it getting reinfected and b0rked) and also to make it harder for the phone user to take back control.

I think it’s the first time I’ve seen a mobile device be infected and hooked up to a botnet, I thought it might happen with consoles before..but now with mobile 3G/3.5G Internet and powerful CPUs in mobile phones the next big thing might be botnets running on iPhones, Android and Symbian devices.

The worm has the ability to pillage SMS databases, and an analysis by (English translation here) has identified a script that looks for mobile transaction authentication numbers used by some banks to perform two-factor authentication with SMS-based systems. (Sophos also has analysis here.)

The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread, F-Secure said Sunday.

The attacks come two weeks after a separate piece of self-replicating code caused iPhones mostly located in Australia to display images of Rick Astley, the schmaltzy 1980s pop singer. The most recent outbreak appears to be the first instance of malicious iPhone malware spreading in the wild.

So do your friends a favour and tell anyone with a jailbroken iPhone to change the default SSH password to something else! Just doing that will save them from the current crop of threats.

I wonder what else will come of this, will it become a widespread infection of jailbroken iPhone users? Will it reach every continent?

Over here in asia iPhones are fairly popular, but not hugely so like in the US. I’d say if there’s anywhere ripe for some iPhone mayhem it would be America.

Source: The Register

Posted in: Apple, Exploits/Vulnerabilities, Malware

, , , , , , , ,

Latest Posts:

Fuzzilli - JavaScript Engine Fuzzing Library Fuzzilli – JavaScript Engine Fuzzing Library
Fuzzilii is a JavaScript engine fuzzing library, it's a coverage-guided fuzzer for dynamic language interpreters based on a custom intermediate language.
OWASP APICheck - HTTP API DevSecOps Toolset OWASP APICheck – HTTP API DevSecOps Toolset
APICheck is an HTTP API DevSecOps toolset, it integrates existing tools, creates execution chains easily and is designed for integration with 3rd parties.
trident - Automated Password Spraying Tool trident – Automated Password Spraying Tool
The Trident project is an automated password spraying tool developed to be deployed on multiple cloud providers and provides advanced options around scheduling
tko-subs - Detect & Takeover Subdomains With Dead DNS Records tko-subs – Detect & Takeover Subdomains With Dead DNS Records
tko-subs is a tool that helps you to detect & takeover subdomains with dead DNS records, this could be dangling CNAMEs point to hosting services and more.
Arcane - Tool To Backdoor iOS Packages (iPhone ARM) Arcane – Tool To Backdoor iOS Packages (iPhone ARM)
Arcane is a simple script tool to backdoor iOS packages (iPhone ARM) and create the necessary resources for APT repositories.
SharpHose - Asynchronous Password Spraying Tool SharpHose – Asynchronous Password Spraying Tool
SharpHose is an asynchronous password spraying tool in C# for Windows environments that takes into consideration fine-grained password policies and can be run over Cobalt Strike's execute-assembly.

3 Responses to First Malicious iPhone Worm In The Wild

  1. Morgan Storey November 25, 2009 at 3:19 am #

    They are popular here in Australia, I would say 1 in 5 people I see have one.
    Here is a better tip, tell your friends not to buy badly made vendor locked in Apple junk. Of course this exploit would still work with a cracked Android with SSH running and the same password but the last dropbear SSH server install I saw made you set the password at login. Not the now infmous Alpine across the board.

  2. Fernando Alvirez November 26, 2009 at 10:18 pm #

    Quote:”… tell your friends not to buy badly made vendor locked in Apple junk”. Those are harsh words, not sure if really justified. Either way, nothing is secure anymore.

  3. Morgan Storey November 26, 2009 at 10:43 pm #

    @ Fernando Alvirez: I agree no computer or complex technology is secure, except the old addage a computer buried deap below the earth surrounded by a few feet of concrete, not plugged into anything.
    I am harsh on apple because they always make the biggest security blunders, indoctrinating their users to not worry about Viruses cause you have a mac, releasing updates long after they have been weaponised, setting the same root password on a device that is widely deployed, vendor lock-ins that would make MS blush, and the worst bit: I enjoy using Linux but when I used to support Mac’s they had removed half the useful and default commands.
    I am all for right tool for the right job, I have admin’ed Windows, Linux, BSD, Varying Unix systems and MacOS. But I feel there is no job that can justify a Mac.