Sophos Finds New Malicious Bot-Creating iPhone Worm

A number of iPhone worms have been released recently, all targeted at jailbroken iPhones. On Saturday, Sophos reported on a new worm that is a lot more malicious than these earlier attempts.

Of the ones we reported on recently, the first was a little on the lame side, although it forced you to restore your iPhone, if you didn't want to pay a 5 euro "blackmail fee." The second was just plain silly, and more proof-of-concept, and all it did was "rickroll" your iPhone. There was a third iPhone worm that uploaded your iPhone data to a site, and that is along the same lines as this new one.

The reason these worms only attack jailbroken iPhones is that if you jailbreak your device, and do not reset the SSH password, anyone could get into your iPhone.  This is because the default SU password is the well known "alpine." In fact, to become infected, these iPhones have to satisfy the following conditions:

• The iPhone must be jailbroken
• SSH must be enabled (on)
• The root superuser (SU) password has not been changed from "alpine"

It's not that hard to change the password, though it does require some work (more on that later). The new worm turns your iPhone into a bot, like a traditional PC worm might. Two startup scripts are created, as well, one which execute the worm on iPhone boot-up, and the other which creates a connection to a Lithuanian server to upload stolen data. Additionally, the worm changes root password which, if the user had modified it himself, would have prevented this whole mess, from the default of "alpine" to "ohshit." The easy way to remove the malware from your iPhone is to restore the Apple factory firmware using iTunes.

People jailbreak their iPhones to give them access to features and functionality that Apple won't allow in the App Store. By doing so, however, they open this security hole, which is easily closed if you follow the following steps to change the SU password:

1. Install the MobileTerminal package from Cydia.
2. Run the app (named Terminal on your iPhone screen).
3. Type "su root" without the quotes and touch return.
4. Type the root password "alpine;" hit return. You are now logged in as root.
5. Type "passwd;" hit return.
6. Enter your new password. They won't be echoed to the screen, not even as "*," BTW. Hit return; you will be prompted to re-enter the password.
7. Enter the new password again; hit return.
8. Type "exit" and touch return.

Once done; you're safe, but be sure to remember the SU password. It's sad that jailbreaking is necessary to enable useful behavior that Apple deems unworthy (Like background processing, for example), but nothing's going to change there soon, if ever.