I had guessed we would see a dangerous incarnation of worm for the iPhone within a week of the 5 Euro scam that Graham blogged about on November 3rd. Fortunately my predictions were wrong, and we made it almost 3 weeks before someone succumbed to the temptation to take advantage of the vulnerability in jailbroken iPhones.
A Dutch ISP has reported unusual amounts of data traffic related to the worm, which was the first indication that something was wrong. Slashdot posted a link to a translation of a Dutch security blog post with more details.
This worm, like the others, only attacks jailbroken iPhone and iPod Touch devices. There are some significant differences from the 5 Euro scam, the most notable of which is that this worm uses command-and-control like a traditional PC botnet. It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.
Security.nl also says that the worm changes the root password from the default of “alpine” that Apple set in the factory firmware, making it more difficult for users to secure their devices. The recommended method to remove this malware from your iPhone is to restore the Apple factory firmware using iTunes.
This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection. One symptom noted by security.nl is that battery life is very, very short when the device is connected to WiFi, because the worm is generating so much network activity.
Each infected device is assigned a unique ID number, which allows the attackers to further investigate a phone found to have interesting content. This could lead to significant data theft if a sensitive phone has been jailbroken.
The worm could be related to Banker Trojans as well, as it appears to look for mTANs. These are two-factor authentication systems that use SMS. When you attempt to log in to your bank’s website, the bank sends you an SMS with a one-time password, which you then enter on their website to log in to your account.
If you have jailbroken your iPhone, I recommend restoring it to the current Apple-supplied firmware. If you want freedom of application choice, perhaps you should consider an Android-based phone rather than hacking your device into a potentially insecure state.
IT Administrators concerned about compromised devices on their networks would need to do a physical spot check for jailbroken phones. It does not appear that iPhones are able to report back any sort of status information, so there is no way to securely use them in an enterprise environment. If an infected phone is also connected to your MS Exchange, WiFi, or VPN environment, all of your confidential data could be at risk.
This further demonstrates that iPhones are not ready for the business environment. Apple has made a great effort at preventing people from cracking into their software and unlocking/jailbreaking their devices, but where there is a will, there will always be a way.
Creative Commons image courtesy of Dirk Hartung’s flickr photostream.
UPDATE: Mikko Hypponen is reporting the IP address the worm uses for C&C is 220.127.116.11. If you are mobile operator you may wish to block/monitor activity trying to communicate with this IP address.
UPDATE 2: Paul Ducklin has discovered the new root password set by this worm to be “ohshit”. For more information see Paul’s blog.
UPDATE 3: Now that Paul has recovered the password you do not need to restore Apple firmware. You can follow Paul’s clean up instructions.
Note: Some people have commented that corporate iPhones are not likely to be jailbroken. Let me clarify my point. If you have added an employee’s iPhone to your network, you are unable to tell if that phone is jailbroken without having checked the device directly. There is no way to know if these phones are vulnerable to attack without scanning them for SSH and trying the default password.