ESET Threat Blog

I don't really want to keep banging on about jailbroken iPhones when there are threats out there that affect many more people (though according to Intego, 6-8% of iPhones are, in fact, jailbroken, so I don't want to minimize the threat either).

I'm quoting Intego because they've just blogged (http://blog.intego.com/2009/11/11/intego-security-memo-hacker-tool-copies-personal-info-from-iphones/) what I think is a critical development. They claim to have found a hacker tool that uses the same vulnerability that the ikee worm uses in order to connect to any jailbroken iPhone where the owner hasn't changed the root password. They say that this threat, which they call iPhone/Privacy.A, can be installed on Macs or PCs and can work under Unix or Linux. It's not clear from the blog whether it works under Windows: however, if it doesn't, a version could obviously be created that would. It isn't a virus or worm, but it allows a criminal to steal information from a jailbroken iPhone without advertising its presence,

Intego are, quite rightly, pointing out the dangers of jailbreaking. If you do have a jailbroken iPhone, you do need, at the very least, to change the root and mobile passwords as soon as possible. This threat is rated as low risk by Intego, and I think that's about right at present. However, the default password genie is well out of the bottle now, as I mentioned here and here, and iPhone owners need to consider the risk not only from the threats reported so far, but the potential risk from future threats using similar approaches.

Forget all the verbiage about pranks: there's nothing funny about this.

(Hat tip to Graham Cluley for alerting me to the Intego blog.)

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Inevitably, the source code for the ikee worm I mentioned in a previous blog (http://www.eset.com/threat-center/blog/2009/11/10/iworm-ikee-sex-and-drugs-and-rick-and-roll) has crept back out from under its rock.

It's probably equally inevitable that there'll be more script-kiddy attempts to produce variants and it will be easier for heavy-duty malware creators to produce new malware using similar techniques, if they're so-minded.

If you have a jailbroken iPhone, now would be a good time to make sure that you've reset the passwords for the root and mobile accounts. See http://cydia.saurik.com/password.html for details on how to do this.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

The iPhone, it seems, is under siege: a recent worm exploits a known (and previously exploited) vulnerability that affects the owners of "jailbroken" phones on which OpenSSH has been installed. (Jailbreaking allows iPhone users to install and use unapproved applications.)

Of course, there's been an enormous amount of media coverage on this already (I've just returned from a conference trip at which I had no email access), and I don't care for "me too" blogs, but there's also been a certain element of mythmaking, so I'm going to concentrate on a few aspects of this (admittedly interesting) event that I don't think have received sufficient attention.

Jailbreaking is (irrespective of whether it's a good idea) enough to expose an iPhone to infection by this particular worm.

• As far as I can tell, every known variant spreads by scanning hardcoded IP ranges owned by Optus in Australia (http://isc.sans.org/diary.html?storyid=7549, http://www.h-online.com/security/news/item/First-iPhone-worm-features-Rick-Astley-854085.html). That doesn't mean a comparable attack can't be carried out in any IP space, of course (an Intego blog does suggest a spread beyond Australia, but I haven't seen that corroborated elsewhere so far), especially as the source code was publicly available for a while and lots of people seem to be furiously searching for it. No doubt for entirely virtuous reasons.(Thanks, Graham.)
• Jailbreaking doesn't entail installing OpenSSH. You have to have chosen to install it subsequently. (Thanks, Roel.) That doesn't mean, though, that similar exploits can't be used with other applications.
• You also need to be using the default passwords for the root and mobile accounts: resetting those passwords blocks this particular infection. That doesn't fix everything, though. Passwords may be reset to default, notably by firmware upgrades.

 So is this really harmless fun? The apparent creator of this mess seems to think so (http://blog.jeltel.com.au/2009/11/interview-with-ikee-iphone-virus.html). That interview seems to me to argue a moral sensibility displaying an immaturity close to the sociopathic, but at least he seems to have attempted to give some information about removing the infection. Given his admitted carelessness in coding and failure to anticipate some of the effects of his malware, you might want to be careful about taking his advice. As I don't have an iPhone or a sample, I'm not currently able to verify its accuracy.

Apparently a number of people agree that it's harmless. Apart from some reports that refer to this "prank" (I'm reminded of Microsoft's attempts to minimize the importance of WM/Concept, the first major Word macro virus, by dubbing it Prank Macro), a poll conducted by Sophos apparently determined that 76% of respondents consider malware an acceptable way to raise security awareness. Well, I never heard that one before… Oh, wait a minute, isn't that the excuse used by countless script kiddies and hobbyist virus writers, not to mention BBC journalists in the market for buying botnets? Well, I'm sure malware will start having a beneficial effect on public security awareness any century now.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/