Tuesday, November 24, 2009

iKee iPhone Worm Strikes Again!

PC Tools' Malware Research Center received a sample of an iPhone worm that is strikingly similar with the iKee worm that displays an image of Rick Astley, and was originally intended as a prank. This one, however, has an added functionality of using compromised iPhones in a Botnet, a network of infected computers and devices that can be controlled by hackers to perform malicious activities.

Like Worm.iPhoneOS.Ikee which we blogged about a few weeks ago, it scans a range of IP addresses mostly from the Netherlands, and Australia.

The worm then attempts to log in to all jailbroken iPhones with SSH installed using the default password, and copies itself to the compromised device.

Once active in the iPhone, the worm will change the default password found in the file, /etc/master.passwd. This is necessary for the attacker to prevent the victim from logging in.

The worm will then download and install all necessary application packages it needs to perform its malicious activities such as sending sensitive information it gathered to the remote server, and providing botnet functionality to the compromised devices.

This worm connects to a command & control center running at 92.61.38.16 in Lithuania.


PC Tools advises its customers not to jailbreak their iPhones due to the security risks involved. Not only does it open to a lot of vulnerabilities for hackers to exploit, it also violates your warranty.

Apple has already issued a brief statement regarding this latest threat as published on The Loop:

"The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software," Apple spokesperson, Natalie Harrison, told The Loop. "As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."

Wednesday, November 11, 2009

Info Stealer targets Jailbroken iPhones

A week has barely passed since the first iPhone worm (Worm.iPhoneOS.Ikee) came ‘rickrolling’ into our collective awareness, and now we already have its first official copycat!

A new Trojan has been spotted employing the very same technique employed by the ikee worm to break into jailbroken iPhones. It scans a network (a home, office, or public wifi network would suffice) for the presence of jailbroken iPhones still running SSH. Enabling SSH is a common step in jailbreaking as these allows the user to login to the phone remotely and execute shell commands. And, as should be common knowledge by now, all iPhones have the same default root password that users neglect to change after jailbreaking them.

What this new Trojan lacks in originality of technique, however, it more than makes up for with a more vicious payload. Whereas the ikee worm contents itself with changing the iPhone wallpaper, this new Trojan will steal data from compromised devices! This means all SMS and contacts list stored in vulnerable phones are up for grabs!

While these new iPhone malwares are breaking news, we should realize that the SSH vulnerability it exploits is really nothing new. It has been there ever since the first jailbroken iPhone. In fact, before ikee, Ars Technica ran an article article on their site about a ‘ransomware’ spreading in the Netherlands. It scans networks for iPhones with SSH enabled, then sends the owners the following SMS message:




When you visit his site, he then charges you €5 for instructions on how to secure your phone, information that is actually available to anyone for free.

So lets all learn the lesson here. First, there are very real risks to jailbreaking. Second, and more important, never use default passwords, whether for your combination locks at home or for your digital devices.

Monday, November 9, 2009

iPhone Worm Found Rickrollin' in the Wild

A new worm targeting Apple's iPhone has been headlining the news as of late. This iPhone worm, dubbed as Ikee, has been infecting Jailbroken iPhones (hacked iphones allowing installation of applications outside of iTunes) all over Australia, and infected users found themselves having iPhones with a photo of Rick Astley as its wallpaper, and a message stating that "ikee is never going to give you up". This is actually a very popular prank among internet users and is known as Rickrolling.


This worm specifically targets Jailbroken phones with a root login password still set to the default password alpine. This opens a hole for hackers to exploit since Jailbroken phones use an SSH daemon which allows for remote connections.

In the case of Ikee, the worm scans a hardcoded list of IP ranges belonging to several Australian Telecom companies for vulnerable iPhones. Once a vulnerable iPhone has been found, the worm copies several files including a copy of itself to the iPhone, and changes its wallpaper to a photo of Rick Astley. It then disables the SSH service to prevent reinfection, and calls for another scan on the network to look for other vulnerable iPhones.

Jailbroken iPhones obviously pose some serious risks. If you have decided to do so, make sure you have changed your SSH password (instructions for changing the password can be found here courtesy of Cydia) and be aware that you have a greater risk of getting infected than non - Jailbroken iPhones.