Looks like, malware writers have finally decided to take their eyes off Microsoft for a while and place Apple in their radar. It has been hardly over a couple of weeks since we witnessed the first Apple iPhone Worm (iKee) and just when we thought we had found the formula to remove iKee worm from an infected jailbroken iPhone, here is yet another iPhone worm.
A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet. The Dutch ISP has reported unusual amounts of data traffic related to the worm, which was the first indication that something was wrong. Slashdot posted a link to a translation of a Dutch security blog post with more details.
The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number, which allows the attackers to further investigate a phone found to have interesting content. This could lead to significant data theft if a sensitive phone has been jailbroken.
This worm, like the others, only attacks jailbroken iPhone and iPod Touch devices. Hence, we repeat again – if you are using a jailbroken iPhone or iPod Touch device, change the default password now. The most notable about this new worm is that it uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.
This worm can find vulnerable iPhones on a wide range of IP addresses, including IPs in several different countries, for example the Netherlands, Portugal, Australia, Austria, and Hungary. Furthermore, it changes the root password on the iPhone to “ohshit” (as discovered by Paul Ducklin, head of technology in Sophos Asia Pacific.)
The new worm is called “Duh” or “Ikee.B”, and it uses the exact same vulnerability as the first one. The worm allegedly changes the root password from the default of “alpine” that Apple set in the factory firmware, making it more difficult for users to secure their devices. The fix is thus identical. The recommended method to remove this malware from your iPhone is to change the root password in the SSH application to something other than the default, which is “alpine” and restore the Apple factory firmware using iTunes. Of course, iPhones that are reset will no longer be jailbroken, but that’s certainly a better alternative than being part of a botnet.
The worm could be related to Banker Trojans as well, as it appears to look for mTANs. These are two-factor authentication systems that use SMS. When you attempt to log in to your bank’s website, the bank sends you an SMS with a one-time password, which you then enter on their website to log in to your account.
The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread though, as it appears at the moment.
However, users who haven’t jailbroken their iPhone or haven’t installed the SSH application are not affected by this vulnerability.