Mikko Hyponen, chief research officer at F-Secure, said in a blog post that the new worm, like the first, affects jailbroken iPhones with SSH (secure shell) protocol enabled and unchanged default passwords. The Finnish security company has yet to give a name to the new threat.
Ikee, another threat that was discovered earlier this month, is said to infect vulnerable phones in Australia. When Ikee strikes, it alters the iPhone’s wallpaper to an image of Rick Astley with the message “ikee is never going to give you up”.
“The worm is not widespread, but it is much more serious than the first iPhone worm as it seems to try to steal information from the devices,” Hyponen said about the new worm in the blog post.
Altered password recovered
Paul Ducklin, Sophos’ head of technology for the Asia-Pacific region, in a blog post Monday that the new worm he dubbed “Duh” changes the root password which is hidden from users.
Using a password cracker, Ducklin identified the new password as “ohshit”. Using this password, users of infected phones can log back into their iPhones and remove the virus, he said.
In a follow-up e-mail to ZDNet Asia, Ducklin said users should upon login check for a directory named “/private/var/mobile/home”, which hosts the viral files. Files named “inst”, “cydia.tgz”, “duh”, “sshd” and “syslog” ought be be removed to deactivate the malware, he said.
“Don’t have an ‘ohshit’ moment. Don’t give jailbreaking a bad reputation. Change those passwords now,” he urged. “Duh changes any password which is currently ‘alpine’, not just the root password. So fix any user accounts as well.”
The latest worm, Ducklin pointed out, was “not unexpected” given the chain of events leading up to it. “A Dutch guy hacks into iPhones–using ‘alpine’ [as password]–to ask for 5 euros to explain how to secure your phone. There’s a reaction.
“Two weeks later an Aussie builds on this idea by writing Ikee, a self-replicating attack, in what he blithely claims to have been an experiment gone wrong,” he noted. “And two weeks after that, someone else builds on Ikee with the ‘Duh’ virus–using Ikee’s idea for copying itself to other devices combined with a botnet-based command channel.”