New iPhone worm found in the wild

A second and more nefarious iPhone worm has been discovered that connects to a Lithuanian server to upload stolen data and turn control of the device over to the bot master. Lovely.
Written by Jason D. O'Grady, Contributor

On November 2 a hacker was able to identify jailbroken iPhones unning SSH on T-Mobile's Netherlands network via port scanning and used the vulnerability to change the wallpaper to display a message that demanded a 5 Euro ransom.

One November 7 another malware, dubbed ikee, "rickrolled" compromised iPhones by changing the wallpaper to a picture of Rick Astley (pictured).

Today a new, more nefarious worm that attacks jailbroken iPhone and iPod Touch devices has been discovered. According to Sophos this latest iPhone worm was discovered when a Dutch ISP reported unusual amounts of data traffic. Slashdot posted a link to a translation of a Dutch security blog post with more details.

There are some significant differences from the 5 Euro scam, the most notable of which is that this worm uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.

Security.nl reports that the new worm changes the SSH root password making it more difficult to stop.

This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection.

It's difficult to tell if your iPhone has been compromised, but one symptom is that battery life becomes very, very short when the device is connected to WiFi, because the worm is generating so much network activity. The recommended method to remove this malware from your iPhone is to restore the Apple factory firmware using iTunes.

If you've jailbroken your phone and are running SSH, change the default password.

Editorial standards