iPhone virus adds botnet powers

In a similar fashion to the relatively benign ikee virus that was recently released, another iPhone virus is targeting jailbroken Australian devices and builds botnet functionality into it, according to computer security firm, Sophos.

New virus worse than Rick Astley attack
(Credit: Whirlpool ID, Batman)

If your iPhone has been jailbroken, change your passwords now, advised Paul Ducklin, Sophos Australia's chief of technology.

Ducklin said the writers of this virus included a program call "Duh", which added malicious capabilities not present in last month's ikee release.

"'Duh' is the bot component," said Ducklin. "When an iPhone is first infected it uses Duh to call home, which by chance happens to be a server located in Lithuania. It dobs in your IP numbers — Wi-Fi, 3G — and the name of phone and makes a unique identifier which will identify your phone the next time you connect," he said.

The virus would replace Apple's default root log-in password, "Alpine", which was automatically used for the SSH program that was exploited by ikee. SSH is used to set up network communication capabilities on a jailbroken iPhone.

The new password installed by this virus was "ohshit", which can be used to remove the threat of further remote attacks on an infected device. Ducklin said to clean up the device by searching the file "directory/private/var/mobile/home", type in "passwd" to initiate the command, and change the password. "Otherwise the buggers can get back in anytime they want," said Ducklin.

Fellow information security boffin, and the first researcher to analyse a sample of it, F-Secure's Mikko Hypponen, wrote today: "The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices."

Ducklin agreed. It was not widespread because it was only a threat to iPhone users that have a jailbroken iPhone, have installed SSH, and have not changed the root log-in password from Apple's "Alpine" default.

On the other hand, while ikee turned off SSH, which would have prevented further attacks of a similar nature, this virus changed the password, meaning that the controller of the server based in Lithuania could gain access to the device.

"That's why I gave out the password," said Ducklin. "It's more malicious because it installs a bot which checks home for instructions. That site's now down but it has the potential to send a file to delete all files on [an infected] phone."

The latest iPhone virus is the third of its kind in the past two months.