Password recovery for the latest iPhone worm

Image (2) john-the-ripper.jpg for post 1343

As you have probably heard from my fellow bloggers at Sophos, a new iPhone worm is doing the rounds. Most reports seems to be coming from the Netherlands.

I was on my way back from Manila whilst my chums were blogging, so I can only add a johnny-come-lately post to what they’ve already said, but at least I have some useful news: the new root password on infected iPhones.

Duh infector code

I don’t know whether we have an official name for this worm yet, but I’ll refer to it as Duh, because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm — “duh” is the part which reports back to Cybercrime Control (at IP number, which appears to be in Lithuania) that you have been infected, and then regularly checks back for commands to download and run later. That makes this virus a true bot or zombie.

Unlike Ikee, which maliciously turned off SSH after it had broken in (and, yes, I call that a malicious side-effect, choosing to disbelieve those who thought this was an attempt by the author to do something good), the Duh virus changes the root password but leaves SSH running. So you are close to being able to log in and remove the virus, but no cigar.

The password is changed by rewriting its hashed value in /etc/master.passwd, not by running the passwd command with the new password in plaintext. This shields the value of the new password, so that the cybercrooks know what it is, but you don’t.

Thanks, however, to John the Ripper, I can tell you that the new password is: ‘ohshit’.

So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password ‘alpine’ but which is now inaccessible, try ‘ohshit’ as your root password. If you get in, you are almost certainly infected with the Duh virus.

Perhaps, in fact, Duh is a good name for this virus. It will only infect those who escaped Ikee infection (since those phones would no longer have SSH active for the new virus to break in) but still didn’t bother to change their root password away from Apple’s feeble default root password of ‘alpine’.

Don’t have an ‘ohshit’ moment. Don’t give jailbreaking a bad reputation. Change those passwords now. (Duh changes any password which is currently ‘alpine’, not just the root password. So fix any user accounts as well.)