Australian iPhone users have this weekend been on the receiving
end of the first in-the-wild virus for Apple's cult mobile phone.
The iPhone virus, called "Ikee", changes the phone's background
picture to 1980s singer Rick Astley, and then goes looking for
other iPhones on the network to infect.
A message contained in the photograph of Rick Astley says: "ikee
is never going to give you up".
The
Ikee worm spreads using SSH on jailbroken iPhones. The SSH
software isn't installed by default by Apple, so merely
jailbreaking your iPhone doesn't make you vulnerable. But if you do
install SSH, without changing Apple's default root password
("alpine"), you are woefully insecure.
Early indications are that the Ikee virus was written by a
21-year-old from Wollongong in New South Wales who has recently
tweeted that he's "kinda...worried about legal implications."
"If he did write and set loose this virus on the network,
he probably ought to be worried, since breaking into other people's
computers isn't acceptable - even if they have chosen (or, in this
case, Apple has chosen on their behalf) an effectively useless
password," says Paul
Ducklin, Sophos's Head of Technology, Asia Pacific.
Fortunately, the Ikee virus is not explicitly destructive, and -
unlike the vast majority of modern malware - doesn't seem to have
been written as a vehicle for ongoing cybercriminality. Indeed,it
seems that, after infecting your iPhone, the virus turns SSH off,
thus protecting the device against further attacks of this
sort.
Infection seems to be confined to Australia at the moment,
though there are unconfirmed reports of Ikee in Thailand and
Japan.
This in unsurprising, since the latest variant of the worm
greatly favours attacking Australian mobile phone networks. It
targets phones throughout several large IP ranges apparently
belonging to Vodafone Australia, Optus and Telstra, attacking just
one randomly-generated IP address outside these ranges every time
it spreads. Since the source code of Ikee is available, however,
this could easily change in future variants.
Note also that a Dutch hacker recently used the same approach -
logging in to jailbroken phones via the known SSH password - to
inject a message
asking for 5 Euros to tell you how to secure your iPhone
against further attacks.
"If you have a jailbroken iPhone, change your SSH passwords
now," urges Ducklin. "If you don't have a jailbroken iPhone, you
probably also ought to change those passwords, since it makes no
sense to have poor passwords pre-configured for any operating
system service, whether it runs by default or not. Ironically, it
seems that Apple don't want you to do that - just the sort of
operational restriction which led to jailbreaking in the first
place."
Learn more about the iPhone worm attack
Further information about the ikee worm that has infected
iPhones is available on
Graham Cluley's blog.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.