iPhone worm “iKee”
Name: Worm iKee
Location: Sydney, Australia
Discovered: November 6, 2009 – Friday at 12:15 pm by sierralpha @ whirlpool forum
Worm iKee targets jailbroken iPhones and takes advantage of SSH service that uses default password to allow remote user logins.
From an interview by JD, the author explains:
As for users that are infected, there are two common denominator – They all have hacked iPhones
(known to the hacking community as “JailBroken”, and they all use an SSH Daemon, allowing users
to connect to their phone’s remotely, and attempt to login.
Worm Propagation Method: SSH service using default password
Users that have already “JailBroken” their iPhones, should immediately change the root account password, even if they have not installed an SSH Daemon.
– iKee overwrites Cydia files with its working code
“Cydia is a replacement packaging and repository manager for the original Installer.app for the iPhone or iPod touch”
– Changes iPhone owners’ wallpaper and replaces it with a photo that is known from a cross platform joke “RICKROLL” (I remember, I captured a video and uploaded in YouTube) “Never Gonna Give You Up” by Rick Astley.
– Deletes SSH Daemon
– It scan pre-defined IP addresses to infect and spread to another vulnerable iPhone user (All
IP addresses belong to 3G customers in Australia and are hardcoded in the worm by SANS diary)
Image source: forums.whirlpool.net.au “iKee changes infected iPhone user’s wallpaper”
How to remove iKee:
The author explained (from JD’s interview) that there are 4 variants of this worm, and here’s how to remove them:
Variants A-C store files in these directories, so you have to remove them (may use rm in terminal)
Then, reboot the phone and change your password and re-install SSH.
For variant D, remove the following files in these directories:
Remember to change your root password!
Follow this instruction.