Monday, November 9, 2009

New Australian iPhone Worm

Yesterday, A newly discovered iPhone worm was found in the wild. The worm targets jailbroken iPhones - primarily affecting Australian 3G customers.

In this post I will sum up the worms operation and provide links on its removal, source code and further readings.

Initially, the worm scans for Australian 3G IP addresses (hardcoded into the source) on the Vodafone, Optus and Telstra networks. It spreads through 'jailbroken' iPhones using the Cydia application.

The worm spreads through the use of default SSH credentials. If the default SSH root password has not been changed (alpine), the worm will connect to port 22 and copy itself onto the phone. The worm will then kill the SSH service (to avoid someone else compromising the phone) and change the background image to Rick Astley. The worm will then look for other deices to infect.

Whilst the worm is currently frivolous in it's operations, it doesn't take much imagination to realise the potential for something more malicious.

So now people will be asking question, why am I posting the source code? The reason here is twofold. I think it's important to not only get the code out into the public so people can understand/identify the risk it poses, but also effectively defend against it should more malicious versions of the code become available.

Source Code
Removal of the Worm
Interview with ikee, the worm's author

More details about the worm:
http://isc.sans.org/diary.html?storyid=7549
http://mashable.com/2009/11/08/first-iphone-worm/
First identification (author involved)