Second iPhone Worm Targets Personal Data

A new incident of malware attacking jailbroken iPhones is the most malicious yet, targeting mobile banking and capable of hijacking the device for use in a botnet and stealing personal data, according to several security firms.

So far, the iPhone (and iPod Touch) worm is isolated to jailbroken iPhones in the Netherlands, though it’s much nastier than its predecessor that surfaced a few weeks ago, and it has the ability to spread more widely, security firms Sophos and Intego have reported.

Jailbreaking is the practice in which device owners hack their iPhones or iPod Touches to enable them to run applications not approved by Apple, a method that the company obviously does not recommend due to the security and performance issues that may result.

“This new malware, that Intego calls iBotnetA, is by far the most sophisticated iPhone malware yet. It is not only a worm, capable of spreading across a network, but also hijacks iPhones or iPod touches for use in a botnet,” Integro researchers wrote in a blog post.

The previous exploit simply changed a jailbroken iPhone’s wallpaper to a picture of pop star Rick Astley, of “Rickrolling” fame, while the new threat allows hackers to steal sensitive information, according to Intego.

“This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices,” according to the Intego researchers.

Apple downplayed the extent of the attack, and took the occasion to chide its customers who have jailbroken their devices.

“The worm affects only a very specific set of iPhone users who have jail broken their iPhones and hacked it with unauthorized software,” an Apple spokeswoman said in an e-mail to “As we’ve said before, the vast majority of customers do not jailbreak their iPhones, and for good reason. These hacks not only violate the warranty, they will also cause the iPhone to become unstable and not work reliably.”

Researchers at security firm Sophos joined Intego in warning users about the threat. They noted that the newest worm, which is also called Duh or Ikee.B, “uses command-and-control, like a traditional PC botnet, and configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server to upload stolen data and cede control to the bot master.”

Once installed on an iPhone, the worm changes the root password. “Apple’s default root password — ‘alpine’ — on the iPhone breaks two fundamental rules: it’s both a dictionary word and well-known. This doesn’t matter for most iPhone users, as they haven’t jailbroken their iPhones and installed SSH to allow remote access, but the new worm will break in and immediately change it. This change is made by directly editing the encrypted value of the password in the master password file, so that the new password is never revealed,” Paul Ducklin, head of technology in Sophos Asia Pacific, wrote in a blog post. “This password-changing represents an additional risk, as it means that cyber criminals now know what your password is — allowing them to log back into your iPhone later — but you don’t, so you cannot login and eliminate the virus.”

Once the password is changed, the worm then connects to a server in Lithuania, “from which it downloads new files and data, and to which it sends data recovered from the infected iPhone,” according to Intego. “The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices.”

The attacks can spread fairly quickly on a Wi-Fi connection, according to Sophos, and affected users are likely to notice a significant battery life drain.

“The worm also gives each infected iPhone a unique identifier; to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhone’s /etc/hosts file for a Dutch bank Web site, to lead Dutch users who connect to this bank site to a bogus site, presumably to harvest user names and passwords,” according to Intego.

For now, the security firms are recommending those with infected iPhones to restore their operating systems with the most recent firmware update.

Update adds comments from Apple spokeswoman.

News Around the Web