Updated: Symantec uncovers a new worm targeting jailbroken iPhones. Unlike the Ikee worm that appeared earlier in November, this worm can be used to steal data.
Researchers at Symantec
have uncovered another worm aimed at jailbroken
Like the well-publicized Ikee
the recently discovered malware targets jailbroken iPhones running
SSH (Secure Shell) and using the default password of "alpine."
However, unlike Ikee, which merely changed victims' iPhone backgrounds to a
picture of 1980s pop singer Rick Astley, this worm can reportedly steal data
and allow an attacker to take control of the smartphone.
"Unlike the first iPhone worm, this one appears to cover a much broader
range of IP addresses, including UPC in the
Netherlands, Optus in Australia, possibly a Hungarian and a Portuguese
provider, T-Mobile and potentially many others," blogged
Symantec researcher John McDonald.
"And although this particular
incarnation seems to be very similar in functionality to the hack tool we
blogged about, this one supposedly runs and spreads directly from an infected
iPhone, not from a computer."
has been discouraged by Apple, but has evolved into a well-known
practice over the years for people wanting to install third-party applications
not approved by Apple. Security researchers have long warned that those doing
so and running SSH should take care to change the default
to avoid the possibility of a compromise.
A number of high-profile
in November have helped bring that point home. The first
came courtesy of a Dutch teenager who tried to make use of the default password
issue to take control of users' phones and hold them for ransom. Shortly after
that came the Ikee worm, which was then followed by the release
of an attack tool
that could be used to steal data off of the
According to Mac security company Intego,
the new worm starts by searching
its local network, as well as a number of IP address ranges, for vulnerable
devices. Once it is active on an iPhone, the worm changes the root password for
the device in order to prevent users from later changing the password
themselves. It then connects to a server in Lithuania
from which it downloads new files and data. It also sends data swiped from the
iPhone to the server.
"The worm sends both network information about the iPhone and SMSes [Short
Message Service] to the remote server ... [and] also gives each infected iPhone
a unique identifier ... to be able to reconnect easily to any iPhones on which
valuable information is found, but also to ensure that only infected iPhones
can connect to the server," Intego stated in an advisory Nov. 23. "Finally,
it changes an entry in the iPhones/etc/hosts file for a Dutch bank Website, to
lead Dutch users who connect to this bank site to a bogus site, [presumably] to
harvest user names and passwords."
Symantec detects the worm as iPhoneOS.Ikee.B; Intego as iPhone/iBotnet.A on
iPhones it can scan from Macs with its Intego VirusBarrier X5 software
installed. Users can also remove the malware by wiping the device and restoring
it via iTunes.
"After all the fuss caused by the previous incidents it's hard to believe
anyone would have left their jailbroken iPhone in a vulnerable state, but if
you think your iPhone (or iPod Touch) may have been compromised, or if you have
jailbroken your device and are worried about it, we recommend that you back up
your data, then restore your
device to its factory settings
and where applicable apply the latest
firmware update from Apple," McDonald wrote. "We also highly
recommend you never leave a password blank, or as the factory default."
Editor's Note: This
story was updated to include information from Intego.