New Malicious Worm Affects Jailbroken iPhones in Netherlands

[baryon]

Is Apple behind these worms? They have been going after everyone and everything they think infringes on them.

I would not put it past Steve Jobs to have a small team that writes these worms.

No Apple is not behind the worms, for at least three reasons:

1. If it would surface that Apple is writing malicious software, that would be really bad for them, and illegal, too.

2. The media and a lot of people won't be saying that it only affects jailbroken phones, so what many people will think is that "iPhones can have viruses", which would obviously hurt iPhone sales.

3. People who jailbroke their phones STILL bought the iPhone and payed for the hardware at least, and I cannot imagine a company trying to hack into their own customers' bank accounts.

 

[iWoz]

I very much doubt Apple are writing worms.

However, You take that risk when you decide to jailbreak an iPhone.. So I dont feel sorry for anyone affected!! Or (infected)

😎

 

[arn]

so the worm is pretty serious. here's description of what it does from Intego

(again, only affects jailbroken/ssh/default password)

This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.

 

[gnasher729]

Is Apple behind these worms? They have been going after everyone and everything they think infringes on them.

I would not put it past Steve Jobs to have a small team that writes these worms.

That would be corporate suicide. Anyone at Apple who just suggested it would be fired on the spot. You may not put it past Steve Jobs, but that kind of thing would be at about 12 on a scale of stupidity going from 0 to 10. As a company with 30 billion dollars in the bank that ING could sue you for you don't even think about that kind of thing.

 

[kAoTiX]

But why does Apple continue to prevent non-jailbroken iPhones from uploading custom SMS/Email tones, having wallpaper behind the home screen, changing icons etc.? That would go a long way to stopping people considering Jailbreaking.

For this very reason?
Having access to the file system opens up a device to all sorts of problems from a security point of view.
It shouldn't be a problem in my eyes though, a major company like Apple should have the man power to combat this kind of thing. Why can't they just treat it like another OSX release, terminal comes as standard on that!

 

[Compile 'em all]

Useless corporate talk...

I have been running a jailbroken iPhone since september 2007 and never had any issues. There, I just invalidated everything written in that copy/pasta you posted.

 

[guzhogi]

so the worm is pretty serious. here's description of what it does from Intego

(again, only affects jailbroken/ssh/default password)

This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.

That's kinda scary. But if Apple & the police can identify the server the information goes to & who owns it, should be fairly easy to shut this thing down. However, how already infected iPhones can be repaired, I don't know.

 

[hob]

For those of us with jailbroken iPhones, I think hte most important point is:

1. how do you establish whether or not you have SSH installed?
2. how do you change the default password?

Many applications install other services whilst installing themselves - I'm not 100% sure I've not had SSH downloaded by another application.

Apple's advice regarding Jailbreaking seems very prohibition-era... I see no way that Jailbreaking a phone could possibly kill the device, as they suggest... ("irreparable damage"...)

 

[kolax]

Why is this even big news..? You Jailbreak, you remove your protection, you be stupid and not change the root password when you install SSH, you get infected.

Should I expect to see big headlines, "new STD's affect men who don't wear condoms" to start popping up everywhere?

Come on.. this nothing..

 

[*LTD*]

I have been running a jailbroken iPhone since september 2007 and never had any issues. There, I just invalidated everything written in that copy/pasta you posted.

YOU didn't.

Apple can't take that kind of risk. That "useless corporate talk" is necesssary.

Especially in light of this, quoted above by Arn:

This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.

I can't believe you dismissed Apple's security warning (which is nothing but a beneficial public service and certainly expected) as "useless." 😕

When it comes to your data and (potentially) compromised security re banks, Apple's support page about jailbreaking should resonate with everyone.

 

[TBi]

I have been running a jailbroken iPhone since september 2007 and never had any issues. There, I just invalidated everything written in that copy/pasta you posted.

As much as i hate the FUD thrown up by the anti-Jailbreakers, it is possible to have all that stuff happen on a jailbroken phone because you can install buggy, stupid software if you want. It isn't installed by default though.

It's the same reason why windows is said to be so unstable. All this unnecessary buggy third party software that people install. Windows on it's own is pretty damn stable, has been for years, unless you install stupid buggy software.

 

[Sayer]

Yeah, but the jailbroken iPhones are open as opposed to the default locked down Apple iPhone. Take the bad with the good.

Funny how this article argues for a more open iPhone like Android, and also wishes for a more controlled Android platform, like the iPhone.

Security, Features, Openness. Pick any two.

 

[Goona]

That's what you get for jailbreaking!

 

[ma2ha3]

wow i always knew there are lots of hackers in holland. I wonder how many people in holland have iphone - jailbroken and bank at ING. The hackers are very selective.

 

[bacaramac]

And clearly another reason to stick with the crappy AT&T service with a my iPhone. I wish Sprint or Verizon would get the iPhone, but don't see that happening. Glad I have no need to Jailbreak.

 

[Koodauw]

I'll be more nervous when malware with some real penetrating power shows up...

Real penetrating power always makes me nervous too. 😎 Just set up a password if you've installed SSH people.

 

[bruinsrme]

Does this really count?

If it relies on people installing SSH and not changing the default password?

I'll be more nervous when malware with some real penetrating power shows up...

NO it doesn't count. Same exploit as before.

The word has been put out to change the passwords, not just here but on every iphone/ipod site I frequent.

The jailbreak community has stood up on their podiums for all to hear, for those that don't listen or want to take the time to understand the risks of jailbreaking will fall victim to these simple exploits.

*****LTD your post was, well, inspiring🙄

 

[Speedy2]

I have been running a jailbroken iPhone since september 2007 and never had any issues. There, I just invalidated everything written in that copy/pasta you posted.

This sounds like an insulted little kid...

Let me write the relevant paragraph for you again:

"Compromised security: Security compromises have been introduced by these modifications that could allow hackers to steal personal information, damage the device, attack the wireless network, or introduce malware or viruses."

Doesn't that EXACTLY describe what is happening with these SSH worms? People who don't know what they are doing are doing it regardless and end up with a compromised phone.
If you EXACTLY know what you're doing, you're perfectly fine. Apple just warns people, nothing else.

 

[Schizoid]

once again the 'impartial' BBC leans towards sensational headlines...

SECONDonly jailbroken IPHONE WORM IS MORE SERIOUS!

 

[Clete2]

Well, it's entirely the user's fault for not changing the root password for SSH.

It's like setting up a machine with no firewall and setting up SSH to be usable directly by root, with the root password as 'root.' Who would do that? Only a fool. 🙂

 

[Adam Young]

Simple fix: IF jailbreak THEN change passwords

On iPhone open Cydia; Icy or Rock, and download MobileTerminal. Open MobileTerminal and enter the following commands (without the quotes and followed by a return).
'login root'
'alpine'
'passwd'
'my_new_root_password' (new password, 2x)
'login mobile'
'dottie'
'passwd'
'dottie' (old password)
'my_new_password' (new password, 2x)
Done (dont forget the new passwords ;-).

It's obvious jailbreak software should incorporate obligatory password change, but users must still be aware that more freedom comes with greater responsibilities.

 

[Erwin-Br]

I bank with ING. The reason hackers are targeting this bank specifically is because they send TAN (Transaction authentication number) codes (necessary to approve a transaction when on-line banking) to your phone by SMS.

Other banks usually do this with a TAN-code calculator you receive when you open an account. Or sometimes with a paper list, if they are really old fashioned.

So hackers can read your TAN-code, if you're hacked. But they still have to know your username and password to enter. I guess that's where the fake app is for. Wow.

 

[iphonegeek786]

Can anyone tell me how to install SSh and change the password.

 

[iSee]

Someone should make a benevolent worm that takes over your device long enough to warn you to change your SSH password.

Edit:

Can anyone tell me how to install SSh and change the password.

Sorry, I only know how to do the first... 😉

 

[supmango]

so the worm is pretty serious. here's description of what it does from Intego

(again, only affects jailbroken/ssh/default password)

Quote:
This worm starts by searching its local network, as well as a number of IP address ranges, for available devices to infect. The address ranges it scans include those of ISPs in the Netherlands, Portugal, Hungary, Australia, and if an appropriately unprotected iPhone is found, the worm can copy itself to these devices.

When active on an iPhone, the iBotnet worm changes the root password for the device (from “alpine” to “ohshit”), in order to prevent users from later changing that password themselves. It then connects to a server in Lithuania, from which it downloads new files and data, and to which it sends data recovered from the infected iPhone. The worm sends both network information about the iPhone and SMSs to the remote server. It is capable of downloading data, including executables that it uses to run and carry out its actions, as well as new files, providing botnet capabilities to infected devices. (A botnet is a network of infected computers or devices that can be controlled by hackers to attack other computers, serve malware, send spam, serve pages or images, and much more.)

The worm also gives each infected iPhone a unique identifier; this to be able to reconnect easily to any iPhones on which valuable information is found, but also to ensure that only infected iPhones can connect to the server. Finally, it changes an entry in the iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch users who connect to this bank site to a bogus site, presumable to harvest user names and passwords.

I had to chuckle at the password change. Very appropriate.