New iPhone worm found in the wild

New iPhone worm found in the wild

Summary: A second and more nefarious iPhone worm has been discovered that connects to a Lithuanian server to upload stolen data and turn control of the device over to the bot master. Lovely.

SHARE:
40

On November 2 a hacker was able to identify jailbroken iPhones unning SSH on T-Mobile's Netherlands network via port scanning and used the vulnerability to change the wallpaper to display a message that demanded a 5 Euro ransom.

One November 7 another malware, dubbed ikee, "rickrolled" compromised iPhones by changing the wallpaper to a picture of Rick Astley (pictured).

Today a new, more nefarious worm that attacks jailbroken iPhone and iPod Touch devices has been discovered. According to Sophos this latest iPhone worm was discovered when a Dutch ISP reported unusual amounts of data traffic. Slashdot posted a link to a translation of a Dutch security blog post with more details.

There are some significant differences from the 5 Euro scam, the most notable of which is that this worm uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.

Security.nl reports that the new worm changes the SSH root password making it more difficult to stop.

This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection.

It's difficult to tell if your iPhone has been compromised, but one symptom is that battery life becomes very, very short when the device is connected to WiFi, because the worm is generating so much network activity. The recommended method to remove this malware from your iPhone is to restore the Apple factory firmware using iTunes.

If you've jailbroken your phone and are running SSH, change the default password.

Topics: iPhone, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

40 comments
Log in or register to join the discussion
  • But I thought Apple OS X was immune from ALL such things. (nt)

    ...
    ths40
    • When you jailbreak your iPhone

      you give it the ability to run things other the "Apple Only" software.
      GuidingLight
      • Do something illegal; expect illegal activity in return.

        Face it. You jailbreak it you remove all protection. You've hacked it. So don't expect other hackers to NOT be able to get into your hacked device.
        No More Microsoft Software Ever!
        • I'm not so sure about that.

          But I [b]do[/b] know that if your hack involves installing a shell, leaving
          the default password is like sticking a Post-It? with your PIN written on
          it to your ATM card.
          matthew_maurice
        • It's technically NOT illegal

          AND if the proper precautions are taken a jailbroken iPhone is not vulnerable to the worm.
          athynz
          • Well according to Apple it is, and it's their phone, so.. ya.

            [b] [/b]
            AzuMao
          • Then Apple

            can give me back my $300 bucks. Otherwise it is MINE to do with as I will. In this Apple and their EULA can suck it.
            athynz
        • This is a technical issue; righteousness optional

          Your ethical expectations are out of touch with reality, but I will give you the benefit of the doubt that it wasn't ownership of a Mac product that caused it.

          The issue here is, as ever will be, users unwilling to take responsibility for their computing devices. Install software you trust, understand it, and configure it to the fullest (e.g., change the SSH service password). This isn't a morality issue, it's a technical one.
          n.ang
    • Any I thought Zdnet was immune to trolling?

      Just kidding. I knew it wasn't.

      I don't think that Apple ever claimed their OS was immune to hacks using the default well documented password. I'd like to see the OS that claims it is.

      You could also argue that it isn't their OS since it is the half-@$$ jailbroken version.

      Enjoy guarding your bridge.
      maskman01
      • Awe c'mon...it's FUN trolling...

        ...besides, business at the bridge is a little slow these days, and I have to find amusement where I can. Must be the economic downturn to blame.
        ths40
        • I wonder if more babies have been made as a ...

          ...result of the slowdown. :)
          maskman01
          • Not under MY bridge. :D (nt)

            ...
            ths40
    • It's not immune to the user illegally hacking into his phone to disable

      the security built-in to it and then installing a
      third party remote administration interface and
      leaving it turned on at all times with the default
      password, no.
      AzuMao
  • password changing instructions:

    To prevent this, you just need to change your root
    password (note, this is NOT the 4 digit password
    on your lock screen).

    This is how you do it:
    http://justanotheriphoneblog.com/wordpress/iphone-
    tips/how-to-change-the-iphones-root-password
    lostarchitect
    • Broken or False link

      This is either a broken or false lead link.
      no need to follow this.
      jzac888
      • it's not false

        or broken, the ZDNet forum didn't allow the full address to be hotlinked for some reason. Follow This link to the page:

        http://tiny.cc/78ph4

        aka:

        http://justanotheriphoneblog.com/wordpress/iphone-tips/how-to-change-the-iphones-root-password
        athynz
      • Ignore jzac888's post. The link is fine. Just copy and paste it.

        [b] [/b]
        AzuMao
  • No thanks, I'll stick with the safer platform

    Hackers only go after low hanging fruit which, in this
    case, is the iPhone. I don't care [b]why[/b] there aren't
    worms going around trying to break into Windows Mobile
    phones, all I know is that I'm much, much, [b]much[/b]
    safer running Windows Mobile. Keep your worm infested
    Apple iPhone, I'm staying with the safer platform.

    Cue the double standards...
    NonZealot
    • If by double standards you mean accuracy...

      ...then here you go.

      The iPhone as designed by Apple has been fine to date. Jailbroken phone's haven't been.

      So I think what you meant to say was that you'll stick with WinMo as opposed to a Jailbroken iPhone.

      Consider this a gift.
      maskman01
      • Jailbroken, not jailbroken, white case, black case... all still the iPhone

        The iPhone platform is the hacker's favorite
        because it is the least secure. Thanks but no
        thanks, I'm sticking with the secure platform. No
        worms, nothing to "jailbreak" (whatever that term
        means, I'm just a user, don't care about learning
        your techno babble). Windows Mobile "Just Works"
        and I don't need to pay for an AV subscription to
        use it safely, unlike the iPhone. :)
        NonZealot