ESET Threat Blog

The Survey is closed and I had a whopping 28 total responses

The questions were

1. How often do you connect your iPhone to a computer with iTunes running?
2. Have you owned your iPhone for at least 6 months?
3. How did you learn of this survey?

Five people did not respond to the last question. One respondent uses an iPod Touch, which shares many of the same vulnerabilities that the iPhone has.

For question number 1:

17 (60.7%) connect at least once a week.
6 (21.4%) connect at least once a month.
3 (10.7%) connect at least once every two months.
2 7.1% connect less than once every 2 months.

Of the 5 people who have owned their iPhones for less than 6 months, only one reported connecting less than once a week, and that one person connected less than once every two months.
 
Only one or two of the respondents learned of the survey from a non-security related source, with almost all hearing of the survey from the ESET blog or an ESET tweet.

While I do not believe the sample set is statistically sound, it does match my expectations that readers of the blog are probably connecting often enough to get critical security updates. That said, if the numbers hold out for the general population, or if, as I suspect, the general population doesn’t connect as frequently, there could be significant problems with Apple’s approach to iPhone updates. If one doesn’t pay attention to security updates an iPhone worm could be viable. It would be a great idea for Apple, or their service providers, such as AT&T, to proactively notify users when they need to apply patches.

Randy Abrams
Director of Technical Education

[Update: The Register's John Leyden has also commented on the issue at http://www.theregister.co.uk/2010/02/16/apple_bans_iphone_hackers/]

There's been a burst of interest in the last day or so in the blocking of certain Apple IDs from the iTunes App Store. Some bloggers have suggested that this might be a precursor to a massive blocking of jailbroken phones from accessing the App Store.

However, the reports I've seen all mention only two specific IDs, both of associated with individuals who are well known as having publicised vulnerabilities, so it sounds to me as if this measure is specific to individuals perceived as posing a security threat, not as a means of punishing jailbreakers by denying them the opportunity to pay for legitimate, approved apps supplied by software houses with whom Apple has a commercial relationship.

More comment on this at Mac Virus here  and here. Also, thoughts on the Wholesale Applications Community which brings together three of Apple's major competitors in the mobile phone industry and a large group of major telecoms providers.

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or

http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

As posted a few minutes ago on Mac Virus, Dancho Danchev has posted information on a phishing campaign where the bad guys are impersonating Apple in order to steal sensitive device information from iPhone users.

Dancho’s post, which has lots of other links, is at:

http://blogs.zdnet.com/security/?p=5460&tag=col1;post-5460

David Harley CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or http://twitter.com/ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://smallbluegreenblog.wordpress.com/
http://avien.net/blog
http://blogs.securiteam.com
http://blog.isc2.org/
http://macvirus.com/

I recently blogged about Patching an iPhone. I’m not sure if I’ll get anymore takers for the survey at http://www.surveymonkey.com/s/V76LK5L, but if I do I’ll update the results.

With 24 responses in, here is what I found.

15 (62.5%) users reported connecting their iPhones to a computer running iTunes at least once a week. Of note, all three of the users who reported owning their iPhones less than 6 months connect at least once a week.

5 (20.8%) users reported connecting to at least once a month.

3 (12.5%) users reported less frequently than monthly, but at least every two months

1 (4.2%) connected less than once every two months.

While some people did not answer the question about how they learned of the survey, the vast majority learned from the blog or a security related tweet. The one response I know came from a non-security related method was one of the people who connects weekly and has owned their iPhone for more than 6 months.

As I expected most readers here tend to connect their iPhones frequently enough that they aren’t at risk of missing critical OS patches for their devices. It would be interesting to see how this stacks up against the average user who doesn’t read security blogs.

If I get more responses by the close of the survey on Friday I’ll update the results. If any of you play farm games, etc. on social networking sites, or can otherwise get people from non-security areas to respond it will make the survey more interesting!

Oh yeah, one response was from an iPod Touch user, but that counts!

Randy Abrams
Director of Technical Education

Apple recently released a patch for the iPhone operating system. The fixes some pretty serious vulnerabilities, but… you must connect your iPhone to a computer and run iTunes to update the iPhone. This led me to start wondering how many iPhone users rarely connect their iPhones to a computer? I suspect there are quite a few people who rarely connect their iPhone to a computer and that could be a serious problem in the future. Because some of these vulnerabilities can lead to arbitrary code execution, it would be difficult to rule out an iPhone worm.

Ironically, the easy way to prevent a problem with the iPhone is the same way to prevent many problems on PCs, but we have a really hard time getting people to patch their operating system and applications. For current versions of Windows and Snow Leopard it is quite easy to patch if you just let the OS do its work. Some people turn of the automatic updates and often become victims. For third party applications the landscape is a bit more rugged. Some applications have automatic updates or automatic reminders to check for updates, but not all do.

I’m guessing that most of you who read the blog and have an iPhone probably connect your iPhone to your computer fairly often, but it is only a guess so, I have created a survey and if you own an iPhone I would be interested in your answers. This is a really short survey and I will stop collecting answers at the end of the week. Please feel free to refer friends who may not read the blog to the survey as well.

The survey is here

I’ll share the results when they have been collected.

Randy Abrams
Director of Technical Education
 

Will the Motorola Droid be the next malware-victimized smartphone? Well, it's a bit early to make a claim like that, but the fact that it's been rooted (an analogous process to jailbreaking on the iPhone and iPod Touch) in order to allow end-users to install unapproved applications, puts the platform one step nearer. See the reports by John Leyden of The Register and Stefanie Hoffman at CRN (actually quoting Wired News' Gadget Lab) for more detail.

As I've pointed out in another blog here, this isn't a precise analogue to the iPhone malware issue. To be precise, I said:

…it does point to the weakness of the whitelisting and restricted privilege models as a sole defence. If an end user is willing to forgo the legitimacy of a vanilla smartphone by “rooting” it, in order to get a wider choice of apps, there are people out there willing to share techniques for doing so. And plenty more ready to take advantage of the resulting exposure to risk, if they can.

And it's certainly a prime example of how a malicious program might find its way onto a Droid using social engineering to make the victim complicit in the process. And a principle that applies to many other platforms.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch (or @ESETblog)
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

The much reported/blogged iPhone worm does not affect all iPhones. Specifically it affects SOME iPhones that have been jailbroken. A significant part of the iPhone and iPod Touch security model is a technique called “whitelisting”. This is not new and is known to be a very effective security technology that can be used to prevent malicious software from running on all kinds of computers or to only allow access to specific web sites. Fundamentally, network access control is a type of whitelisting.

When an iPhone or Touch is jailbroken, the whitelisting technology that has kept the rest of these devices pretty darn safe is removed. Estimates I have seen published put the number of jailbroken devices at close to 10%. I suspect this number has not yet topped out. So you have a security model that honestly is pretty darned effective and people are removing it. Why is this?

People love choice and functionality. There is a significant amount of overheard involved in most whitelisting implementations. An employer can deploy a whitelisting solution and mandate it’s use, but when you get out into user-land and personal property, people like choice and Apple does not provide the level of choice that a significant number of users desire.

Usability and security are often at odds. In the case of the iPhone malware, there was a really simple security step that protected some users of jailbroken devices. A default password that was changed by security savvy jailbreakers protected their devices from the latest round of jailbroken iPhone vulnerabilities while still allowing them a wider choice of software.

While whitelisting has some strong security advantages, there’s a reason why adoption has been limited.

Randy Abrams
Director of Technical Education

I don't want to flog (or blog) this iPhone bot thing to death: after all, the number of potential victims should be shrinking all the time. However, having updated my previous blog (http://www.eset.com/threat-center/blog/2009/11/22/ibot-mark-2-go-straight-to-jail-do-not-pass-go)  on the topic a couple of times, I thought I'd actually go to a new blog rather than insert update 3.

So here are the update bits again.

[Update, courtesy of Mikko: this worm targets at least one Dutch bank, and activates when users go to the online bank with an infected iPhone ]

[Update 2, courtesy of Paul Ducklin: how to change the password of an infected phone. I could just tell you what the password is, but you might want to read the whole blog.: http://bit.ly/4JJMCu] 

And the latest update, courtesy of Henk Diemer, comes from http://www.security.nl/artikel/31552/1/iPhone_botnet_raakt_controle_kwijt.html, which broke a lot of the previous news on this and related malware. (Sorry, it's in Dutch.) The article indicates that the botnet has "lost control".

This may not be as positive as it sounds. It may just mean that the C&C server has been taken down through ISP or law enforcement action, which would be nice. On the other hand, it may mean that the server has been switched or some other change in the botnet  infrastructure made. C&C switching is standard botnet practice, and could have been accelerated because of attention from the media and the security industry.

Every time we publicise something like this, we have to weigh the immediate benefit to potential and actual victims against the fact that we may make the situation worse, for instance by stampeding the bad guys into moving the goalposts . Sadly, there's no handy cost/benefit analysis tool to make the choice for us.

Perhaps the least attractive possibility is that another group of bad guys has stuck its oar in, though I've seen no evidence of that being the case, so far. If it did happen, that would suggest another rite of passage completed, and a step beyond mere "Proof of Concept" testing.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

[Update, courtesy of Mikko: this worm targets at least one Dutch bank, and activates when users go to the online bank with an infected iPhone ]

[Update 2, courtesy of Paul Ducklin: how to change the password of an infected phone. I could just tell you what the password is, but you might want to read the whole blog.: http://bit.ly/4JJMCu]

Back in April, I blogged about an article in that month's Virus Bulletin by  Mario Ballano Barcena and Alfredo Pesoli about the first serious attempt to creat a Mac botnet. The issue containin that article, by the way, is now available on the Virus Bulletin web site at  http://www.virusbtn.com/pdf/magazine/2009/200904.pdf: you have to register with the web site to access it, but registration is free.

Rather more recently, I've blogged several times on threats aimed at users of jailbroken iphones: the latest was posted at http://www.eset.com/threat-center/blog/2009/11/13/when-is-a-worm-not-a-worm. And now there's a worrying convergence.

Over the weekend, I've been seeing reports from several sources of further malware that potentially affects users in the Netherlands, Hungary, Portugal, Brazil and elsewhere. Chester Wisniewski's blog indicates that a wider spread of ISPs is targeted than previously (UPC in the Netherlands and T-Mobile, as well as Optus in Australia, which has already been targeted several times, and unnamed Hungarian and Portuguese providers), and that jailbroken iPod Touch devices are also vulnerable.

The new worm doesn't seem to be particularly .widespread, which isn't surprising, given that the subset of vulnerable device owners should already have shrunken significantly, with jailbroken device users either restoring Apple firmware through iTunes, ie "unjailbreaking", or at least changing the default passwords. (By "vulnerable" we mean iPhones that are not only jailbroken, have SSH installed, and haven't changed passwords.) However, http://www.security.nl/artikel/31542 does suggest a lot of activity on the T-Mobile network.

What is both interesting and disquieting, though, is that it has botnet functionality: if it's able to infect, it connects to Command and Control (C&C) box in Lithuania with the current IP address 92.61.38.16 (that can change!) to upload data and receive instructions from the C&C server. It also changes the default password, so if you find yourself in possession of a compromised device, your best bet is to restore the firmware. In addition, it seems to be looking for banking authentication data (mTANs – see http://en.wikipedia.org/wiki/Transaction_authentication_number).

Irrespective of widespread the threat really is, it should be taken seriously. This has gone way beyond pranks with rickrolling and wallpaper, and even incidental damage such as the draining of an infected device's battery due to network activity. The scope of this particular vulnerability is limited, but by no means exhausted: there is already a lot of source code out there that can be adapted for further threats. However, the recent and rapid escalation from pranks to worm to hacker tool to bot is an indicator of serious attention from fraudsters and other criminals. Neither Apple nor its fans can afford to be complacent about the supposed superiority of Apple products in terms of safety and security: Big Brother's criminal counterpart is out there scanning for vulnerabilties.

What we're seeing now is less the unarguable difference between safe and unsafe platforms, than a difference in volume. And that merits serious attention.

Hat tip to Chester Wisniewski and Mikko Hypponen for making available some of the information here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Also blogging at:
http://blog.isc2.org/
http://avien.net/blog
http://blogs.securiteam.com
http://dharley.wordpress.com/

Will No-One Rid Me Of This Turbulent Hacker Tool? (http://en.wikipedia.org/wiki/Thomas_Becket)

I was kind of hoping to have moved on from the iPhone data stealing hacker tool by now. While I do think it's a significant development (see http://www.eset.com/threat-center/blog/2009/11/12/iphone-hack-tool-a-postscript), there comes a point where the sheer volume of discussion of the subject gives it more importance than it really deserves.

However, I can't help but notice that there have been frequent references, based on both the Intego post and on my blogs, to a virus or a worm. Well, of course, I'm fully aware that many people talk about viruses when they mean all sorts of other malware, and if I'm not exactly resigned to it, I don't usually spend much time complaining about it.

In this case, however, it actually matters. The source code I have in front of me has no replicative code, so it's not a virus and it's not a worm. It isn't even a Trojan: if you run this code, you're not in any doubt as to what it does. It announces itself quite clearly as a program for stealing data, and keeps you informed as to what data it's trying to steal and whether it succeeds.

It is, in fact, a (very) basic tool that could be used by a badhat, in much the same way that he might use a sniffer or password cracker: it would require modification just to scan a different network.

I don't know if Intego are looking at exactly the same code. The article by Peter James suggests functionality that isn't present in the script I have, but he may just be indicating functions that the script could have in addition to those already present. Intego have confirmed to me, though, that what they have is a hacker tool with no self-replicating code.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/