Second iPhone worm behaves like botnet

update As with first malware, new worm affects SSH protocol in jailbroken iPhones but is "much more serious" as it may attempt to steal data, F-Secure warns.
Written by Vivian Yeo, Contributor

update A second iPhone exploit has been identified by security vendor F-Secure, which claims the new worm has botnet capability and is more threatening than its predecessor.

Mikko Hyponen, chief research officer at F-Secure, said in a blog post that the new worm, like the first, affects jailbroken iPhones with SSH (secure shell) protocol enabled and unchanged default passwords. The Finnish security company has yet to name the new threat.

Ikee, which was discovered earlier this month, was said to infect vulnerable phones in Australia. When the worm strikes, it alters the iPhone's wallpaper to an image of Rick Astley with the message "ikee is never going to give you up".

According to F-Secure, the latest worm connects to a Web-based command and control center in Lithuania.

"The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices," Hyponen said in the blog post.

In July, F-Secure indicated that the iPhone has a 10 percent share of the smartphone market. Symbian is currently the most popular smartphone platform, at 49 percent.

Altered password recovered
Paul Ducklin, Sophos' head of technology for the Asia-Pacific region, in a blog post Monday that the new worm he dubbed "Duh" changes the root password which is hidden from users.

Using a password cracker, Ducklin identified the new password as "ohshit". Using this password, users of infected phones can log back into their iPhones and remove the virus, he said.

In a follow-up e-mail to ZDNet Asia, Ducklin said users should upon login check for a directory named "/private/var/mobile/home", which hosts the viral files. Files named "inst", "cydia.tgz", "duh", "sshd" and "syslog" ought be be removed to deactivate the malware, he said.

"Don't have an 'ohshit' moment. Don't give jailbreaking a bad reputation. Change those passwords now," he urged. "Duh changes any password which is currently 'alpine', not just the root password. So fix any user accounts as well."

The latest worm, Ducklin pointed out, was "not unexpected" given the chain of events leading up to it. "A Dutch guy hacks into iPhones--using 'alpine' [as password]--to ask for 5 euros to explain how to secure your phone. There's a reaction.

"Two weeks later an Aussie builds on this idea by writing Ikee, a self-replicating attack, in what he blithely claims to have been an experiment gone wrong," he noted. "And two weeks after that, someone else builds on Ikee with the 'Duh' virus--using Ikee's idea for copying itself to other devices combined with a botnet-based command channel."

Editorial standards