Video Screencast Help
Security Response

Yet Another iPhone Worm?

Created: 22 Nov 2009 08:20:09 GMT • Updated: 23 Jan 2014 18:31:07 GMT
John McDonald's picture
0 0 Votes
Login to vote

It's only been a couple of short weeks since the iPhone background-changing incident that took the world by storm (well, parts of Australia at least), but already a Dutch ISP has reported what would be the first malicious iPhone worm to be seen in the wild.

Unfortunate news to be sure, but not exactly surprising. Our two recent blogs relating to iPhone threats warned (and I quote) that 'the publicly released code could easily be altered so that consequences were not so benign'. In case you missed them, the first blog was about the Ikee rickroller, which wasn't really considered malicious in that it only changed the iPhone background to a picture of 80's pop singer Rick Astley and was really more of a warning from the creator that jailbroken iPhones in a certain state could be compromised. That incident was followed closely by a hacktool that ran on computers but tried to scan for and log onto vulnerable devices. In both cases the so called vulnerable devices were restricted to jailbroken iPhones running SSH and using the default password of "alpine".

The new worm, which also targets jailbroken iPhones running SSH and still using the default password, can reportedly steal data contained on the iPhone as well as connect back to the attacker giving them control over the phone including the ability to download and install malware onto it. The root password may also be changed in order to prevent the owner from accessing the device. Unlike the first iPhone worm, this one appears to cover a much broader range of IP addresses, including UPC in the Netherlands, Optus in Australia, possibly a Hungarian and a Portuguese provider, T-Mobile and potentially many others. And although this particular incarnation seems to be very similar in functionality to the hacktool we blogged about , this one supposedly runs and spreads directly from an infected iPhone, not from a computer.

We are currently attempting to source a sample for analysis and will provide more information as it comes to light. If you have been infected and/or have a sample that you can share with us please post about it on the Norton Forum here.

After all the fuss caused by the previous incidents it's hard to believe anyone would have left their jailbroken iPhone in a vulnerable state, but if you think your iPhone (or iPod Touch) may have been compromised, or if you have jailbroken your device and are worried about it, we recommend that you backup your data then restore your device to its factory settings and where applicable apply the latest firmware update from Apple.

We also highly recommend you never leave a password blank, or as the factory default.

UPDATE: Scott McIntyre at XS4ALL kindly provided us with a sample. We have added detection for it as iPhoneOS.Ikee.B.