Password recovery for the latest iPhone worm

Filed Under: Apple, Malware, Mobile, Spam

As you have probably heard from my fellow bloggers at Sophos, a new iPhone worm is doing the rounds. Most reports seems to be coming from the Netherlands.

I was on my way back from Manila whilst my chums were blogging, so I can only add a johnny-come-lately post to what they've already said, but at least I have some useful news: the new root password on infected iPhones.

Duh infector code

I don't know whether we have an official name for this worm yet, but I'll refer to it as Duh, because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm -- "duh" is the part which reports back to Cybercrime Control (at IP number 92.61.38.16, which appears to be in Lithuania) that you have been infected, and then regularly checks back for commands to download and run later. That makes this virus a true bot or zombie.

Unlike Ikee, which maliciously turned off SSH after it had broken in (and, yes, I call that a malicious side-effect, choosing to disbelieve those who thought this was an attempt by the author to do something good), the Duh virus changes the root password but leaves SSH running. So you are close to being able to log in and remove the virus, but no cigar.

The password is changed by rewriting its hashed value in /etc/master.passwd, not by running the passwd command with the new password in plaintext. This shields the value of the new password, so that the cybercrooks know what it is, but you don't.

Thanks, however, to John the Ripper, I can tell you that the new password is: 'ohshit'.

So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password 'alpine' but which is now inaccessible, try 'ohshit' as your root password. If you get in, you are almost certainly infected with the Duh virus.

Perhaps, in fact, Duh is a good name for this virus. It will only infect those who escaped Ikee infection (since those phones would no longer have SSH active for the new virus to break in) but still didn't bother to change their root password away from Apple's feeble default root password of 'alpine'.

Don't have an 'ohshit' moment. Don't give jailbreaking a bad reputation. Change those passwords now. (Duh changes any password which is currently 'alpine', not just the root password. So fix any user accounts as well.)

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog