Article by George Norman

On 23 Nov 2009

Why would you want to jailbreak an iPhone? Well, for those of you that do not know this, jailbreaking the iPhone is a process that allows you to bypass Apple’s official distribution mechanism and run unofficial code on the device. Basically, you can run apps on the iPhone that Apple does not support. Which is good.

Why wouldn’t you want to jailbreak an iPhone? Well, it’s not because Apple really, really doesn’t want you to do it. You may not want to jailbreak the iPhone for security reasons. According to Principal Analyst with Independent Security Evaluators, Charlie Miller, “if you care about security, don’t use a Jailbroken iPhone.” I will admit that jailbreaking is a great way to use the iPhone’s full potential, but at the same time you remove all the security protections Apple built into the device. Which is bad.


Charlie Miller’s words came true earlier this month when a hacker managed to break into some jailbroken iPhones in the Netherlands. The hacker used port scanning to identify jailbroken iPhones with SSH (Secure Shell network protocol) running on the T-mobile Netherlands network; then the hacker changed the iPhone’s wallpaper to an image that said:
“Important Warning
Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now!
Right now, I can access all your files. This message won’t disappear until your iPhone’s secure."

Three weeks have passed and Charlie Miller’s words once again come true. A worm that targets Jailbroken iPhones has been spotted in The Netherlands announced Sophos, company that specializes in providing antivirus, anti-spam, spyware removal software, network and internet security, data protection, and computer security solutions. The worst part about this worm (which has been named Duh, after a section of its code) is that it turns the iPhone into a zombie.

For those of you not up-to-date with the IT lingo, a zombie is a computer (or in this case a mobile device) that has been infected by a virus or has been compromised by a Trojan or by a hacker. Put a bunch of zombies together and you have a botnet, a network of computers (or mobile devices) that can be used for various malicious actions.

"This latest iPhone malware is doubly criminal. Not only does it break into your iPhone without permission, but it also cedes control of your phone to a botnet command server in Lithuania. That means your iPhone has just been turned into a zombie, ready to download and to perform any commands the cybercriminals might want in the future. If infected, you have to consider all of the data that passes through your iPhone compromised," explained Sophos’ Senior Technology Consultant, Graham Cluley.

But wait, it gets worse. It turns out that the Duh iPhone worm changes the password on infected iPhones. The default root password for the iPhone is “alpine”. The fact that anyone knows this is not a problem for regular iPhone users. But it is a problem for the users that have jailbroken the device, installed SSH to allow remote access and did not change the default root password. The Duh worm will break in and change the password to “ohshit”.

“The password is changed by rewriting its hashed value in /etc/master.passwd, not by running the passwd command with the new password in plaintext. This shields the value of the new password, so that the cybercrooks know what it is, but you don't. If you have a jailbroken phone running SSH, which you used to be able to log into as root with the password 'alpine' but which is now inaccessible, try 'ohshit' as your root password. If you get in, you are almost certainly infected with the Duh virus,” explained Head of Technology with Sophos Asia Pacific, Paul Ducklin.

And we end with a recap of all the data we have so far on the Duh iPhone worm:

• It is not the first iPhone worm to be spotted (the first one would be Ikee), but it is based on it. The Ikee worm was used as a template by the people with malicious intent that came up with Duh.
• The Ikee worm was only spotted in Australia; where it hunted for vulnerable IPs. The Duh worm includes IP ranges from The Netherlands, Portugal, Australia, Austria and Hungary.
• The Duh iPhone worm seems to be designed to upload banking information to a server in Lithuania. But it can upload any kind of stolen data to that server.
• It will change the iPhone’s root password (from alpine to ohshit).
• It turns your iPhone into a zombie.
• When you connect to WiFi, the worm drains the iPhone's battery because it generates a lot of traffic.
• Each infected iPhone is assigned a unique ID. This way the people with malicious intent beind the worm can easily access it in the future.
• For mobile operators: the worm uses the 92.61.38.16 IP address for C&C.
• If you are infected, the only thing you can do is restore the iPhone to the Apple factory firmware using iTunes.

Update 11.24.2009: Sophos's Head of Technology, Asia Pacific, Paul Ducklin has posted information on how to remove the Duh iPhone worm here.



Tags: Apple, iPhone, Jailbreak, Worm, Sophos

I Hope you LIKE this blog post! Thank you!

What do YOU have to say about this

Popular News

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

12.

13.

14.

15.

16.

17.

18.

19.

20.

21.

22.

23.

24.

25.

26.

27.

28.

29.

30.