How to clean up the Duh iPhone worm

Filed Under: Apple, Malware, Mobile, Spam

I'm quite pleased about having been able to reveal the 'ohshit' password for iPhones infected with the Duh virus. I've already had emails from happy Dutch readers who have used it to get back control of their infected devices.

This begs the questions: how does the Duh virus spread, and how do you get rid of it?

The Duh virus is split into two main parts. The first is a program named sshd, which is almost certainly ripped off from the code of the Ikee virus. This is the infector component. It scans through a wide range of IP addresses, looking for potential victims to which it can connect via SSH as user root with password alpine.

If it gets into your phone, it creates a directory named /private/var/mobile/home to hold the malware. The infector installs the malware by copying across an archive called cydia.tgz, unpacking it and running a setup script called inst.

Additionally, the infector creates a random string of digits to act as an infection ID for your computer. This ID is stored in the file /etc/rel. This ID, plus the system name of your iPhone and any IP numbers assigned to any network interfaces, are uploaded to Duh's botnet command server in Lithuania. Lastly, the infector changes all 'alpine' passwords to 'ohshit'.

The second part of the malware is a script named syslog. This is the zombie component, which is configured by the infector to call home to the command server every five minutes. It calls home using a program called duh, after which the malware is named. The duh program is a simple HTTP downloader. Whatever it downloads is executed as a series of shell commands, so that the cybercrooks have very general remote control over your device.

To disinfect your iPhone, you should login as root with the password ohshit and remove at least the following files:

/private/var/mobile/home/sshd
/private/var/mobile/home/cydia.tgz
/private/var/mobile/home/inst
/private/var/mobile/home/syslog
/private/var/mobile/home/duh

However, since the directory /private/var/mobile/home does not exist on regular, uninfected iPhones, you may as well remove the entire directory and any subdirectories. Remove the file /etc/rel while you are about it. And don't forget to change your passwords, as shown below.

Interestingly, the Duh sample which I received for analysis was technically not a virus, though it had clearly once been viral. Perhaps the sample was sent from an iPhone on which the victim had been unable to resist fiddling with the malware, or perhaps the sample came from the original author after he -- or she, though history says that this is unlikely -- had undergone a change of heart. (When I say "not a virus", I mean "not capable of transitive replication". In other words, I also mean "not a worm". A worm is just a special sort of virus.)

In particular, the sample I analysed included the sshd infector, but this file was missing from the cydia.tgz archive. So, phones infected by "my" sample would end up zombified and 'ohshit'tified, but not themselves able to spread the malware any further. Also, a line of code in the installer which is supposed to extract your SMS texts and send them off to Lithuania had been commented out.

Of course, another way to remove this virus is to restore your iPhone with Apple's own firmware. Once you have done this, you need to decide whether to jailbreak your phone again.

St. Steve of Cupertino thinks you shouldn't, but there are some good reasons why you might want to liberate yourself from Apple's almost religious restrictions. One of those reasons is the freedom and convenience of installing SSH...

...which is how you got into trouble in the first place. So if you do jailbreak your phone a second time, please remember that with freedom comes responsibility. By default, the accounts root and mobile have the 'alpine' password, so be sure to reset the passwords on those accounts!

Assuming you are logged in as root, you can use the passwd command, like this:

# passwd
Changing password for root.
New password:
Retype new password:
# passwd mobile
Changing password for mobile.
. . . .

Good luck.

PS: Sophos has released detection for the Duh virus, which we call iPh/Duh. Why not try out Sophos Anti-Virus for OS X on your Mac? Then you can connect up your iPhone and scan it, just in case.

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog