iPhone virus adds botnet powers

iPhone virus adds botnet powers

Summary: In a similar fashion to the relatively benign ikee virus that was recently released, another iPhone virus is targeting jailbroken Australian devices and builds botnet functionality into it, according to computer security firm, Sophos.

SHARE:

In a similar fashion to the relatively benign ikee virus that was recently released, another iPhone virus is targeting jailbroken Australian devices and builds botnet functionality into it, according to computer security firm, Sophos.

Astley%20copy.jpg

New virus worse than Rick Astley attack
(Credit: Whirlpool ID, Batman)

If your iPhone has been jailbroken, change your passwords now, advised Paul Ducklin, Sophos Australia's chief of technology.

Ducklin said the writers of this virus included a program call "Duh", which added malicious capabilities not present in last month's ikee release.

"'Duh' is the bot component," said Ducklin. "When an iPhone is first infected it uses Duh to call home, which by chance happens to be a server located in Lithuania. It dobs in your IP numbers — Wi-Fi, 3G — and the name of phone and makes a unique identifier which will identify your phone the next time you connect," he said.

The virus would replace Apple's default root log-in password, "Alpine", which was automatically used for the SSH program that was exploited by ikee. SSH is used to set up network communication capabilities on a jailbroken iPhone.

The new password installed by this virus was "ohshit", which can be used to remove the threat of further remote attacks on an infected device. Ducklin said to clean up the device by searching the file "directory/private/var/mobile/home", type in "passwd" to initiate the command, and change the password. "Otherwise the buggers can get back in anytime they want," said Ducklin.

Fellow information security boffin, and the first researcher to analyse a sample of it, F-Secure's Mikko Hypponen, wrote today: "The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices."

Ducklin agreed. It was not widespread because it was only a threat to iPhone users that have a jailbroken iPhone, have installed SSH, and have not changed the root log-in password from Apple's "Alpine" default.

On the other hand, while ikee turned off SSH, which would have prevented further attacks of a similar nature, this virus changed the password, meaning that the controller of the server based in Lithuania could gain access to the device.

"That's why I gave out the password," said Ducklin. "It's more malicious because it installs a bot which checks home for instructions. That site's now down but it has the potential to send a file to delete all files on [an infected] phone."

The latest iPhone virus is the third of its kind in the past two months.

Topics: Malware, Apple, iPhone, Mobility, Security

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

1 comment
Log in or register to join the discussion
  • And instructions on how to change the root pass

    And in future, whats the chances you can also put the instructions on 'how to change the password' in your article with a link?

    Esp when you say
    "If your iPhone has been jailbroken, change your passwords now, advised Paul Ducklin, Sophos Australia's chief of technology."

    You can find instructions on how to change it here.

    http://www.f-secure.com/weblog/archives/cydia.htm

    .. just an idea..
    anonymous