Archive

Archive for November 9, 2009

iPhone worm “iKee”

November 9, 2009 6 comments

Name: Worm iKee

Author: ike_x

Location: Sydney, Australia

Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum

Report details: 3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Description:

Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.

From an interview by JD, the author explains:

As for users that are infected, there are two common denominator – They all have hacked iPhones

(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users

to connect to their phone’s remotely, and attempt to login.

Worm Propagation Method: SSH service using default password

Author recommendation:

Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Worm Behaviour:

- iKee overwrites Cydia files with its working code

“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”

- Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube)  “Never Gonna Give You Up” by Rick Astley.

- Deletes SSH Daemon

- It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All

IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)

ikee-iphone-wallpaper.jpgImage source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”

How to remove iKee:

The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:

Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)

/bin/poc-bbot

/bin/sshpass

/var/log/youcanbeclosertogod.jpg

/var/mobile/LockBackground.jpg

/System/Library/LaunchDaemons/com.ikey.bbot.plis

/var/lock/bbot.lock

Then, reboot the phone and change your password and re-install SSH.

For variant D, remove the following files in these directories:

/usr/libexec/cydia/startup

/usr/libexec/cydia/startup.so

/usr/libexec/cydia/startup-helper

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

Reinstall Cydia.

Remember to change your root password!

Follow this instruction.

Categories: iPhone Tags: , , , , , , , , , ,
Follow

Get every new post delivered to your Inbox.