In association with heise online

09 November 2009, 17:04

First iPhone worm features Rick Astley

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit


Zoom The worm only affects jailbroken iPhones.
A week ago it was manual attacks on jailbroken iPhones, now a worm, which penetrates the phone and spreads using open SSH connections, is circulating in the wild. Because all iPhones have the same password for the 'root' and 'mobile' user accounts, installing an SSH server and failing to change these passwords after jailbreaking an iPhone leaves the device wide open, allowing anyone to gain remote administrator access.

According to reports, the 'ikee' worm is largely confined to Australia because it only searches for vulnerable iPhones (via UMTS) within this IP address space. According to analysis of the ikee code by the Internet Storm Center, the IP addresses are hard-coded and belong to Australian network operator Optus. The worm itself is very simple and is written in C.

It appears that the worm does not cause any real damage – after logging into the iPhone, it copies itself onto the device, deletes the SSH service and changes the wallpaper to a photo of Rick Astley with the caption "ikee is never going to give you up (You have been Rickrolled)". It then starts searching for further iPhones to infect.

Because the ikee source code was briefly freely available to download online, ikee variants able to cause real damage or disclose confidential information may well start appearing soon. Protecting jailbroken iPhones from ikee is, however, simple – log into the iPhone (via ssh or using the terminal app) and set new passwords for the root and mobile accounts. Users should bear in mind that firmware upgrades reset the original password.

No figures for the number of infected devices are available, but an IRC chat with ikee's alleged creator revealed that he is surprised at the speed with which ikee has spread via UMTS networks.

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-854085
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit