Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

The iPod virus

Created: 05 Apr 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:50:37 GMT
Peter Ferrie's picture
+1 1 Vote
Login to vote

On Wednesday morning, we received anonymously a copy of the first "iPod virus", which we call Linux.Podloso(renamed from Linux.Noslo), a play on the virus author's name of"Oslo". Although this virus is designed to run on iPod Linux, there isnothing iPod-specific in the virus code, so it is not an iPod virus. Itis just another proof-of-concept Linux virus.

"iPod Linux" is a software project that allows a user to run adifferent operating system, Linux, directly on an iPod. So, when theiPod is switched on, the user sees a Linux interface instead of theusual Apple interface. This virus runs within that particular Linuxframework and infects the files that are part of that operating system.

The virus arrives as a file called "oslo.mod.so" and it infectsspecific iPodLinux files on the compromised device. To infect an iPodwould require a user to manually copy an infected file to the device.The virus has no way to leave the device on its own.

Once executed, the virus searches the "/usr/lib" directory and allsubdirectories for files containing the string "mod.so" in the filename. The virus then checks inside files to determine if it is a Linuxfile and currently not infected. When an infected file is executed, itwill infect other files but it will no longer run the host code.

The virus will display the following message on the iPod screen, once the infection routine is completed:

"You are infected with Oslo the first iPodLinux Virus"


The virus also displays a greetings message on the iPod screen when Linux is shut down.

This shows that, eventually, a virus writer will target any operatingsystem on any platform, just to show that it can be done. What a wasteof time.