Virus variant turns iPhone into zombie

Written by John P Mello Jr on November 27, 2009
Worm turns ugly for iPhone.

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

In addition, while the original ikee worm was limited in its scope. It wasn’t reported outside of Australia. The latest iteration of the malware targets a wider range of IP addresses. They include the Netherlands, Portugal, Australia, Austria and Hungary.

The new variant, dubbed by one security firm as the “Duh” worm, also changes the root password on a jailbroken iPhone. Once that password is changed, a mobile bandit can access the phone without the owner’s knowledge. What’s more, if an owner discovers his or her phone has been compromised, initially he or she could do little about it. That’s because he or she needed to know the root password to change the root password. That was impossible since the password of an infected phone was known only to the person who infected it.

However, security experts have been able to reverse the tables on the crackers and with a program called John the Ripper, identify the password they’ve been using in the latest version of ikee. It’s “ohshit.” By logging into an infected iPhone with that root password, an owner can change it to something unknown to the cracker.

In addition to changing the password, an owner should kill the files associated with the malware. The path to those files is /private/var/mobile/home. The files are inst, cydia.tgz, duh, sshd and syslog. Owners are also advised to check the passwords for all user accounts, as the malicious software will change the password for any account that uses the word alpine.

Apple has come under criticism for choosing a root password that violates some basic security best practices. It’s a dictionary word and lots of people know what it is. On the other hand, the latest uproar over compromised iPhones doesn’t affect most users because they haven’t modified their handsets to run unauthorized programs. That may also be the reason that Apple has refused to work with White Hats in developing anti-virus software to counter the problem. From the company’s point of view, it has created a secure product. It’s rogue users who are providing the feeding ground for this round of cracker attacks.

Although iPhones represent only 10 percent of the mobile phone market, they tend to be used by higher level executives within organizations because of their status value. While status seekers aren’t likely to hack his or her iPhone and open it up to something like ikee, the prospect isn’t something that system administrators can ignore. Because iPhones aren’t able to report any kind of status information, security experts warn, they present a threat to the enterprise. If an infected phone gains access to a company’s MS Exchange, WiFi or VPN environment, it could put all a business’s confidential information at risk.

  • (required)
  • (required)