First iPhone worm spreading in the wild, Sophos reports

November 08, 2009 Sophos Press Release

Australian iPhone users have this weekend been on the receiving end of the first in-the-wild virus for Apple's cult mobile phone. The iPhone virus, called "Ikee", changes the phone's background picture to 1980s singer Rick Astley, and then goes looking for other iPhones on the network to infect.

A message contained in the photograph of Rick Astley says: "ikee is never going to give you up".

Wallpaper of Rick Astley displayed by the ikee iPhone worm

The Ikee worm spreads using SSH on jailbroken iPhones. The SSH software isn't installed by default by Apple, so merely jailbreaking your iPhone doesn't make you vulnerable. But if you do install SSH, without changing Apple's default root password ("alpine"), you are woefully insecure.

Early indications are that the Ikee virus was written by a 21-year-old from Wollongong in New South Wales who has recently tweeted that he's "kinda...worried about legal implications."

"If he did write and set loose this virus on the network, he probably ought to be worried, since breaking into other people's computers isn't acceptable - even if they have chosen (or, in this case, Apple has chosen on their behalf) an effectively useless password," says Paul Ducklin, Sophos's Head of Technology, Asia Pacific.

Fortunately, the Ikee virus is not explicitly destructive, and - unlike the vast majority of modern malware - doesn't seem to have been written as a vehicle for ongoing cybercriminality. Indeed,it seems that, after infecting your iPhone, the virus turns SSH off, thus protecting the device against further attacks of this sort.

Infection seems to be confined to Australia at the moment, though there are unconfirmed reports of Ikee in Thailand and Japan.

This in unsurprising, since the latest variant of the worm greatly favours attacking Australian mobile phone networks. It targets phones throughout several large IP ranges apparently belonging to Vodafone Australia, Optus and Telstra, attacking just one randomly-generated IP address outside these ranges every time it spreads. Since the source code of Ikee is available, however, this could easily change in future variants.

Note also that a Dutch hacker recently used the same approach - logging in to jailbroken phones via the known SSH password - to inject a message asking for 5 Euros to tell you how to secure your iPhone against further attacks.

"If you have a jailbroken iPhone, change your SSH passwords now," urges Ducklin. "If you don't have a jailbroken iPhone, you probably also ought to change those passwords, since it makes no sense to have poor passwords pre-configured for any operating system service, whether it runs by default or not. Ironically, it seems that Apple don't want you to do that - just the sort of operational restriction which led to jailbreaking in the first place."

Learn more about the iPhone worm attack

Further information about the ikee worm that has infected iPhones is available on Graham Cluley's blog.