New iPhone worm detected that is designed to change the passwords on jailbroken handsets and connect them to a botnet

News by Dan Raywood

A new worm has been detected that hits jailbroken Apple iPhones harder than before.

A new worm has been detected that hits jailbroken Apple iPhones harder than before.

Sophos claimed that this is the most serious malware to date as it turns infected iPhones into zombies, joining them to a botnet. Classifying it as ‘Duh' or ‘Ikee.B', it is designed to upload banking information to a server in Lithuania and to follow orders from remote hackers.

Sophos claimed that the worm hunts for vulnerable iPhones on a wider range of IP ranges in several countries - including The Netherlands, Portugal, Australia, Austria, and Hungary - than Ikee, which was only ever reported in Australia.

The company also claimed that ‘Duh' changes the password on your iPhone - meaning that cybercriminals know what it is but infected users do not, allowing criminals to log back into your iPhone later.

However Paul Ducklin, Sophos's head of technology in Asia Pacific, claimed that using the John the Ripper password cracker, he was able to detect the new password as 'ohshit'.

Ducklin said: “Unlike Ikee, which maliciously turned off SSH after it had broken in, the ‘Duh' virus changes the root password but leaves SSH running. So you are close to being able to log in and remove the virus, but no cigar.

“The password is changed by rewriting its hashed value in /etc/master.passwd, not by running the password command with the new password in plaintext. This shields the value of the new password.

“So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password 'alpine' but which is now inaccessible, try 'ohshit' as your root password. If you get in, you are almost certainly infected with the Duh virus.”

Graham Cluley, senior technology consultant at Sophos, said: “This latest iPhone malware is doubly criminal. Not only does it break into your iPhone without permission, but it also cedes control of your phone to a botnet command server in Lithuania.

“That means your iPhone has just been turned into a zombie, ready to download and to perform any commands the cybercriminals might want in the future. If infected, you have to consider all of the data that passes through your iPhone as compromised.”

David Harley, director of malware intelligence at ESET, said: “Irrespective of how widespread the threat really is; it should be taken seriously. This has gone way beyond pranks with rickrolling and wallpaper, and even incidental damage such as the draining of an infected device's battery due to network activity.

“The scope of this particular vulnerability is limited, but by no means exhausted: there is already a lot of source code out there that can be adapted for further threats. However, the recent and rapid escalation from pranks to worm to hacker tool to bot is an indicator of serious attention from fraudsters and other criminals.

“Neither Apple nor its fans can afford to be complacent about the supposed superiority of Apple products in terms of safety and security: Big Brother's criminal counterpart is out there scanning for vulnerabilities. What we're seeing now is less the unarguable difference between safe and unsafe platforms, than a difference in volume. And that merits serious attention.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews