Tuesday, November 24, 2009

iKee iPhone Worm Strikes Again!

PC Tools' Malware Research Center received a sample of an iPhone worm that is strikingly similar with the iKee worm that displays an image of Rick Astley, and was originally intended as a prank. This one, however, has an added functionality of using compromised iPhones in a Botnet, a network of infected computers and devices that can be controlled by hackers to perform malicious activities.

Like Worm.iPhoneOS.Ikee which we blogged about a few weeks ago, it scans a range of IP addresses mostly from the Netherlands, and Australia.

The worm then attempts to log in to all jailbroken iPhones with SSH installed using the default password, and copies itself to the compromised device.

Once active in the iPhone, the worm will change the default password found in the file, /etc/master.passwd. This is necessary for the attacker to prevent the victim from logging in.

The worm will then download and install all necessary application packages it needs to perform its malicious activities such as sending sensitive information it gathered to the remote server, and providing botnet functionality to the compromised devices.

This worm connects to a command & control center running at 92.61.38.16 in Lithuania.


PC Tools advises its customers not to jailbreak their iPhones due to the security risks involved. Not only does it open to a lot of vulnerabilities for hackers to exploit, it also violates your warranty.

Apple has already issued a brief statement regarding this latest threat as published on The Loop:

"The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software," Apple spokesperson, Natalie Harrison, told The Loop. "As we've said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably."