back to article First malicious iPhone worm slithers into wild

A Dutch internet service provider has identified a worm that installs a backdoor on jailbroken iPhones and makes them part of a botnet. The worm, according to XS4ALL, targets jailbroken iPhones whose owners have carelessly failed to change the default password. In addition to connecting to a Lithuanian master command channel, …

COMMENTS

This topic is closed for new posts.
  1. Chas
    Jobs Halo

    Dumb is as dumb does

    Interesting that hackers are targetting jailbroken Jesus Phones. Now you see the reason why Apple put such barriers against such activity. Mind you, no other smartphone warrants such attention.

    Unfortunately, there's no legislation against blatant stupidity!

    =:~)

  2. Anonymous Coward
    Jobs Horns

    Conspiracy theory ?

    Hmm just jail broken phones eh, does make you wonder the origin of this little piece of malware.

  3. Jeremy Chappell
    FAIL

    Shock headline...

    ... Boring story. If you jail broke your iPhone, by opening 'ssh' and you didn't change the default password, well you pretty much disabled ALL the security. So something like this was bound to happen...

    If you've only used your iPhone as directed by Apple, or used any common sense at all (and changed the default password) then you're safe.

    Of course, that doesn't make such an interesting headline does it?

    We expect better El Reg, this isn't fsckin' CNet!

  4. Anonymous Coward
    Paris Hilton

    LOL

    Heh, I was wondering how much time would it take for somebody to exploit this again, maliciously. I'm still amazed at how stupid people are. Enable ssh on a device which is owned by like 20 million people, connected almost non-stop to the internet, and leave the default root password?

    Paris Hilton, she has a comparable intelligence to all those who got the worm.

  5. criscros
    Dead Vulture

    Come on, El Reg

    You need to get a pic of the apple logo with a worm in it!! ;)

  6. J 3
    Headmaster

    people who are smart and energetic enough

    "people who are smart and energetic enough"

    Well... sorta, I suspect. Maybe "people who google 'how to jailbreak iphone' and then blindly follow a recipe with barely a clue what they are doing" might be a more apt description.

    Or maybe they all just have bad memory and/or short attention span.

  7. Dan Wilkinson
    Grenade

    Fixed that for you...

    "First Malicious iPhone Worm Slithers Into iPhones That Have Been Jailbroken Against The EULA, Had SSH Downloaded And Installed And Left Running With Default Root Password By People Who Couldn't Find Their Ass With Both Hands And Therefore Deserve What They Get"

    Honestly, if you don't understand the security implications of installing a remote access daemon on your phone/server/fridge, namely that if you can get in then others can at least try also, then you really just plain shouldn't. It's not even like you need to any more anyway, most apps are available on Rock/Cydia etc, at least enough for your average "home user" jailbreaker.

    If you are still using SSH, hell even if you just know that you *can* log in to your phone via SSH, then surely you *must* understand about password files etc also?!

    Fools!

  8. Dana W
    Jobs Halo

    Well Duh.

    Don't break your iPhone and maybe it wont be broken.

    Funny, our unbroken iPhones are as secure as ever.

    Pebkac. Problem exists between keyboard and chair.

  9. Anonymous Coward
    FAIL

    Ah the fatal error...

    "One would think people who are smart and energetic enough to jailbreak a smartphone would know about the perils of SSH and default root passwords, but the success of these worms suggests otherwise."

    book knowledge >< wisdom

  10. Anonymous Coward
    Anonymous Coward

    Botnets

    Need a Botnet... there's an app for that.

  11. Anonymous Coward
    Jobs Horns

    Alternatively,

    What the Apple fans above also fail to mention is that those who freed their iphones AND either turned off SSH or changed the password ARE just as immune to this worm as those who didn't jail break their iphones.

    And there is a simple fix for the idiots who do get infected:

    - reset to official Apple firmware (removing the worm and relocking the handset)

    - re-jailbreak the handset and then change the password and / or turn off SSH.

    Honestly jail breaking an iPhone doesn't make it less secure, it's the forgetting to change the default password that makes it insecure.

    Personally I don't own an iPhone and unless Apple loosens their restrictions on the platform, I never will (I prefer devices that are open by design).

  12. Dr. Vesselin Bontchev
    Boffin

    Some remarks.

    1) Hackers aren't "targeting jailbroken Jesus Phones". It's just that only jailbroken phones will run programs (including malware) not approved by Apple - and Apple isn't going to approve malware, at least not knowingly.

    2) Yes, most people are idiots.

    3) Change your password, eh? How long before a worm appears that tries to crack it by using a list of common passwords, like the Morris Worm did, oh, some 30 years ago?

  13. Anonymous Coward
    Anonymous Coward

    Nelson Muntz

    Ha Ha!

  14. Anonymous Coward
    Anonymous Coward

    What?

    Why install a server when all you really needed was a client to pull a file down from somewhere else?

  15. Keith Oldham
    Linux

    Password

    I too wouldn't want an iphone but SSH is very useful - use a reasonably long, awkward password and a worm will take all eternity.

  16. Andy 70
    Happy

    not wishing to inflict bot-netness on anyone,

    but

    *smug mode*

  17. Anonymous Coward
    Stop

    @Dan Wilkinson

    "First Malicious iPhone Worm Slithers Into iPhones That Have Been Jailbroken Against The EULA"

    Oh noes, I went against my EULA, a capital crime I'm sure. Your point is valid (i.e. dumbasses get owned), but bringing the EULA into it? And shirley the article was already pointing towards dumbasses being the root cause.

  18. Winkypop Silver badge
    Thumb Up

    @ Andy 70

    Yes indeed Sir

    *Smug mode*

  19. Anton Ivanov
    Flame

    Re: Some remarks.

    The worms that try to crack SSH using passwords as well as worms that do it using a combination of passwords and DNS exploits (attack during the reverse lookup on the source address) are already there.

    I will be surprised if some of them do not have support for the iPhone. In fact, I bet they do and have had it long before the latest "specialised" PR stunts. After all, going after iphones only makes very little sense. Capturing them along with badly configured unix boxes is a completely different story.

  20. Anonymous Coward
    Paris Hilton

    @Dr. Vesselin Bontchev

    "3) Change your password, eh? How long before a worm appears that tries to crack it by using a list of common passwords, like the Morris Worm did, oh, some 30 years ago?"

    Yes, brilliant. We should disregard all passwords as they can be cracked easily. May as well switch off your encryption, remove all user passwords from your online banking etc with that logic.

  21. John Wilson

    Morris Worm

    @Dr. Vesselin Bontchev

    The Morris worm didn't crack passwords. It exploited a buffer overrun.

  22. Keith Oldham
    Linux

    Password 2

    Should have mentioned earlier that apart from long, awkward password or other creditation NOT allowing root access by SSH and only allowing an single unusual user account name for SSH are good ideas, esp. not allowing root.

  23. Ludd
    Terminator

    Moderately Surprised

    ...to note that the BBC news site coverage (hidden away in the Technology section) also publishes the default password. I think it quite a gentle way to force the issue personally...

  24. tiggertaebo
    Coat

    Seems some people really don't learn

    In a Shock of the Day(TM) it would appear that the hard of thinking who didn't realise not changing the default password was a Bad Thing still didn't spot it after they had it demonstatred to them by the Rickrolling guy. In other news night is dark and snow is cold.

  25. Scott 19
    Jobs Horns

    Hang-on hang on

    I got my Commentard crib sheet round here someone, oh there it is :-

    your stupoid cause you use :-

    Windoze [ ] A Mac [ ] Chrome [ ] Linux [ ]

    I' better than you cause i use :-

    Windoze [ ] A Mac [ ] Chrome [ ] Linux [ ]

    I'm smugger than you cause i Own [ ]/Don't own [X] a Jesus phone

    I'm smugger than you cause i Own a PS3 [ ]/ xBox [ ]

    This is the best [ ]/ worst [ ] BOFH ever.

    El Reg is going down hill [ ]/ use to be good[ ] but i'm never going to read it again as what is the IT Angel [ ]/ useless reporter saying [ ] in this article

    It Monday and i hate the world and will vent this in the comments [ ]/ Friday and i'm off down the pub [ ]

    I'm just plain better than you [ ]

  26. NogginTheNog
    FAIL

    Experts or pirates?

    "One would think people who are smart and energetic enough to jailbreak a smartphone would know about the perils of SSH and default root passwords, but the success of these worms suggests otherwise."

    From my limited experience observing friends and colleagues with iPhones, jailbreaking isn't being done by skilled techies trying to regain control, but by semi-techical freeloaders looking to install freebie and cracked apps.

    Don't forget the USP of all Apple tech is that it sells to the non-technical because it just works so intuitively...

  27. The BigYin
    Flame

    Simple answer

    Apple should just give the networks a utility to detect jailbroken phones and then to ban them from their networks. Why do people need to run jailbroken phones anyway? For "backup" games or something?

    People think that once they buy something it's theirs. MS is leading the way in showing that this is not the case. Apple should simply copy MS. Again*.

    *Just to annoy the fanbois. :-P

  28. B 9

    @Scott 19

    Did you copyright that because I'd like to borrow it for personal use? Not the whole thing really, just the last line. I love the brevity of it.

  29. Anonymous Coward
    FAIL

    It is interesting

    I will be keen to see the response from Apple. Let's compare this to Windows (which Apple always plays up the lack of security). If you had an illegal key for Win XP you could still get security updates from Windows Update. Then things got at least partially re-secured with one of the Service Packs when some of the keys that had been widely distributed in Asia were locked down.

    Apple have done a pretty irritating thing in locking down the iPhone in the first place. Remember that this wasn't done for any reason other than revenue. Having a relationship with only 1 provider in each country allowed them to increase kick-back income from the network operator, and increased the initial cost (due to lack of competition). Anyone who claims that it was done for security reasons is talking crap. But what it has done is create a strong pressure to jail-break your phone. It is estimated that about 9% of people jail-break an iPhone. That is a pretty significant percentage.

    In my view, the next update has to do something about this, but it will probably mean that people have to find a new way to jail-break the phone.

  30. steogede

    @Anton Ivanov

    I with Anton on this, this is almost certainly the same worm(s) which any *nix admins will see filling up their logs (if they haven't take then necessary precautions). Strikes me as a little odd that anyone who doesn't know about basic SSH security precautions would bother installing SSH on their iPhone (I don't think it is installed as part of the breakout). For those that don't know, here are some sensible precautions for running SSH (on any system):

    1. Don't use default, obvious or easily cracked passwords - in fact, wherever practical, use keys and disable password authentication.

    2. Disable root access - even better, disable access for all users except those you specifically need to allow.

    3. Don't allow SSH access for default or obvious usernames (e.g. root, apache, john).

    4. Don't run SSH on the default port.

    5. I can't think of any reason why you would need to run SSH on the default port, but if you do then looking into Fail2Ban or DenyHosts (I can't think of anything like this that would work on an iPhone).

    6. Don't run SSH when you aren't using it. There is little point running SSH all the time on an iPhone as you need to have the screen unlocked for it to work - so unless you have it set to be permanently unlocked, you will generally have it to hand when you need to use SSH and can started and stopped as necessary.

    I reckon that there is about as much chance of this being a dedicated iPhone worm as there of a current SSH work not including the default usernames and password for the iPhone (i.e. none). IMHO Jailbreaking an iPhone is about as much of a security risk as installing Linux on a computer - the biggest difference being that malware on an iPhone has access to your phone and could run up a massive bill - but that is an ever present risk with a mobile phone and could easily prevented if O2 and other providers provided means to limit your account (e.g. maximum spend of £20 a day/£50 a week/£100 a month would suffice for most - it would also have helped those early 3G Internet users who got bills of for £1000 or more for the first month before they realised how outrageously expensive it is).

    1. James R Grinter

      Why would they run SSHd...

      when they don't know what it is? Simple - because their "mate" does the jail-breaking for them, and thinks they know what they're doing (but, as can be seen from the evidence, generally doesn't.)

  31. J 3
    Grenade

    @Simple answer

    "Why do people need to run jailbroken phones anyway?"

    What about syncing the phone (or iPod Touch) using a platform that does not run iTunes, or whatever it is? That's the reason I don't have a Touch yet. I can't use it with Linux without some crazy incantations (the old nano still works perfectly too), and even that depends on having the right firmware. I don't want to risk that much money on a device that I might not be able to use.

  32. Anonymous Coward
    Joke

    First malicious worm?

    You mean the Rick Astley one wasn't?

This topic is closed for new posts.