Home > iPhone > iPhone worm “iKee”

iPhone worm “iKee”

Name: Worm iKee

Author: ike_x

Location: Sydney, Australia

Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum

Report details: 3GS 16gb
Os 3.1.2 (7D11) on OPTUS
Jailbroken with Blackra1n
Running Cydia, Winterboard and Installous

Description:

Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.

From an interview by JD, the author explains:

As for users that are infected, there are two common denominator – They all have hacked iPhones

(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users

to connect to their phone’s remotely, and attempt to login.

Worm Propagation Method: SSH service using default password

Author recommendation:

Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.

Worm Behaviour:

– iKee overwrites Cydia files with its working code

“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”

– Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube)  “Never Gonna Give You Up” by Rick Astley.

– Deletes SSH Daemon

– It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All

IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)

ikee-iphone-wallpaper.jpgImage source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”

How to remove iKee:

The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:

Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)

/bin/poc-bbot

/bin/sshpass

/var/log/youcanbeclosertogod.jpg

/var/mobile/LockBackground.jpg

/System/Library/LaunchDaemons/com.ikey.bbot.plis

/var/lock/bbot.lock

Then, reboot the phone and change your password and re-install SSH.

For variant D, remove the following files in these directories:

/usr/libexec/cydia/startup

/usr/libexec/cydia/startup.so

/usr/libexec/cydia/startup-helper

/System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist

Reinstall Cydia.

Remember to change your root password!

Follow this instruction.

  1. KC
    November 18, 2009 at 6:19 am

    What should i do if it show a write protect when i try to delete those files ?

  2. jQ
    November 23, 2009 at 4:50 pm

    I have written a comprehensive solution to removing the iKee virus. I have tried it out on my iPhone. So it should work fine for you.

    goto-> junqin1.blogspot.com/2009/11/ikee-iphone-worm.html

  3. darren LIM
    April 6, 2010 at 8:35 am

    how to remove this worm on iphone 2g?

  1. November 11, 2009 at 4:22 pm
  2. January 12, 2010 at 7:01 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: