First malicious iPhone worm slithers into wild

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet.

The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, it also changes the root password for the device, making it harder for owners trying to regain control. Infected iPhones are also tagged with a unique ID number.

"A number of customers with jailbroken phones have been found running unknown software on their phones which is trying to compromise other iPhone users at other telecommunications providers," the XS4ALL advisory stated. "XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security."

The worm has the ability to pillage SMS databases, and an analysis by Security.nl (English translation here) has identified a script that looks for mobile transaction authentication numbers used by some banks to perform two-factor authentication with SMS-based systems. (Sophos also has analysis here.)

The worm tries to propagate by scanning a variety of IP ranges, including those used by carriers T-Mobile, UPC in the Netherlands, and Optus in Australia. The worm is especially active when it has access to wi-fi networks. One tip-off that a device has been infected is that battery life is extremely short when connected to 802.11 networks because the worm generates so many connections. The worm is not widespread, F-Secure said Sunday.

The attacks come two weeks after a separate piece of self-replicating code caused iPhones mostly located in Australia to display images of Rick Astley, the schmaltzy 1980s pop singer. The most recent outbreak appears to be the first instance of malicious iPhone malware spreading in the wild.

The worms are able to spread only on iPhones that have been jailbroken, have an SSH-enabled application installed and continue to use the default root password. Once they are identified on a network, the malware is able to connect using the password and install itself. One would think people who are smart and energetic enough to jailbreak a smartphone would know about the perils of SSH and default root passwords, but the success of these worms suggests otherwise.

According to F-Secure Chief Research Officer Mikko Hypponen, the command and control channel used by the worm is 92.61.38.16. Admins who find this IP address being accessed have good reason to believe they may have a problem. Infected iPhones should be reset to the factory firmware using Apple's iTunes.

Of course, iPhones that are reset will no longer be jailbroken, but that's certainly a better alternative than being part of a botnet. ®