Security Firm Unearths Malicious iPhone Worm

Security firm F-Secure has unearthed a malicious worm which, like a botnet, allows a web-based command and control centre to remotely take control of iPhones and turn them into zombies. The company has said that the worm is not widespread, but warned that the perpetrators seem to be trying to steal personal information from the devices.

The worm is currently only able to penetrate so-called “jailbroken” iPhones, that have been opened to allow them to be used on any network. It also requires the device to have SSH (secure shell) installed, that enables users to connect to their phones remotely, without the default password – “alpine” – changed.

It is thought that the worm is specifically targeting people in the Netherlands who use their iPhones for internet banking with Dutch bank ING. However, F-Secure research director Mikko Hypponen told the BBC that it is capable of jumping from phone to phone among owners using the same Wi-Fi connection.

“It’s the second iPhone worm ever and the first that’s clearly malicious – there’s a clear financial motive behind it,” said Hypponen.

This is only the second ever iPhone worm to be discovered, but it is deemed to be much more serious than the first. The previous one, dubbed Ikee, emerged in early November, when a student in Australia created a worm that put an image of 1980s pop star Rick Astley on jailbroken phones. While the effects of the student’s worm were relatively benign, the source code was published online, allowing other hackers to create more dangerous versions of the worm.

IT security and data protection firm Sophos said that the latest worm, informally called “Duh” or “Ikee.B” by security researchers, hunts for vulnerable iPhones on a wider range of IP ranges than Ikee, which was only ever reported in Australia. “Duh” includes IP ranges in several countries, including The Netherlands, Portugal, Australia, Austria and Hungary.

“This latest iPhone malware is doubly criminal. Not only does it break into your iPhone without permission, but it also cedes control of your phone to a botnet command server in Lithuania,” said Graham Cluley, senior technology consultant at Sophos. “That means your iPhone has just been turned into a zombie, ready to download and to perform any commands the cyber-criminals might want in the future. If infected, you have to consider all of the data that passes through your iPhone compromised.”

SophosLabs researcher Paul Ducklin claims that the worm can break in and change Apple’s default root password, “alpine”, without revealing the new password. “This password-changing represents an additional risk, as it means that cyber-criminals now know what your password is – allowing them to log back into your iPhone later – but you don’t, so you cannot login and eliminate the virus,” he explained.

Sophos advises all users of jailbroken phones to change their passwords from “alpine” immediately, to avoid further attacks. Meanwhile, ING bank intends to put a warning on the bank’s official website and is briefing its call centre personnel.