Almost two weeks after iPhone owners who opted to jailbreak them had to deal with the ikee Worm and Malware discovered by Intego that targeted the devices to siphon off information, another attack is making rounds according to a Dutch ISP.
New attack aimed at jailbroken iPhones. Image: Apple.
“For the past few days XS4ALL has seen what we believe is possibly a new version of the iPhone worms which have been in the news. A number of customers with jailbroken phones have been found running unknown software on their phones, which is trying to compromise other iPhone users at other telecommunications providers. We're working with as many customers as possible to determine the exact malware responsible…,” a statement from XS4ALL said on Wednesday.
“XS4ALL strongly advises caution against jailbreaking if you are not fully aware of the potential risks to your privacy and security. If you decide to do it anyway, make sure that you follow the instructions on the Internet about how to change the default password.”
This new attack, like the previous attacks, focuses on iPhones that are jailbroken and use the default password of “alpine”. The newest attack is bad, far worse than any of the others. However, the real issue isn’t the malicious code. No, the real issue is that despite all the news coverage for the previous attacks, the warnings and advice given by those who create jailbreaking software, people are still using the default password. How many attacks will it take before this practice changes?
The Worm discovered by NXS4ALL starts by hunting down iPhones with the default password in use. Once a connection is made, two scripts are configured. These startup scripts will run the Worm on boot, and the other will connect to a Lithuanian server so that it can upload stolen data and take commands. The Lithuanian server is acting like a traditional botnet C&C according to research performed by both the ISP and security firm Sophos.
In addition to the Worm spreading itself and connecting to a C&C, it takes care of the default password problem by changing the SSH password itself, essentially locking the owner out of the backend controls on the phone. Moreover, each infected device is assigned a unique ID number for possible tracking, and it appears that the Worm is looking for mTANs, which are two-factor authentication systems that use SMS, such as those used by banks.
“This worm attacks IP ranges from a larger range of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile (Many). When an infected device is hooked up to a WiFi connection, the worm can spread more quickly to more IP addresses than on a typical 3G connection. One symptom noted by security.nl is that battery life is very, very short when the device is connected to WiFi, because the worm is generating so much network activity,” wrote Chester Wisniewski of Sophos in a blog post.
The recommended method to remove this Malware from your iPhone is to restore the Apple factory firmware using iTunes, both the ISP and Sophos suggest.
If you ignore that advice, then do everyone else a favor; please change your password from ‘alpine’ to something else if you’re going to jailbreak your iPhone.
All of the mess related to this Worm, and the previous two we’ve covered, could have been avoided with a simple password change.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story