Yet another worm has appeared that targets jailbroken iPhones and iPod touch devices, using the same default password vulnerability in SSH remote login software to crawl its way into the devices. However, unlike the two previous worms exploiting the vulnerability, this worm protets itself by replacing the vulnerable SSH software, has the capability to steal sensitive data, and can update itself via a botnet-like command-and-control architecture to add new malevolent features.
As with previous iPhone/iPod touch worms, the only devices potentially vulnerable are those that have been “jailbroken” to use unapproved applications or to operate on mobile carriers other than Apple’s selected iPhone partners. The worm exploits a vulnerability in the default rool password used for the SSH remote login software; users who have jailbroken their devices can protect themselves by changing their default SSH root passwords. Users who have not jailbroken their devices are not vulnerable.
According to security firm Sophos,the new worm uses an architecture like a typical PC botnet, enabling the worm’s creators to gather data and send updates to infected devices. The worm “configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master.” The worm assigns each infected device a unique ID number, potentially enabling the worm’s creators to target compromised devices individually.
The worm also changes the default root password on the iPhone or iPod touch, making it impossible for users to retake control of their devices without reinstalling Apple’s default firmware. The worm currently targets IP ranges belonging to Dutch and Australian ISPs, as well as T-Mobile. One impact of the worm is that it seriously depletes battery life in infected devices because the worm produces so much network traffic. The worm may also be related to so-called Banker Trojans: it appears to look for two-factor authentication requests from banking systems that send one-time passwords to mobile users via SMS.