Tech —

iPhone worm code suggests mobile botnets may be future risk

Security researchers have analyzed the code and design of recently discovered …

So far, what little malware has been released for the iPhone has only affected the small percentage of folks who jailbreak and leave an SSH daemon running with the default root passwords. While some of these programs have been nothing but harmless pranks, a malicious version that attempted to create an iPhone botnet has been analyzed by researchers, leading them to conclude that mobile phones could quickly become a major target for malware writers.

The worms all started when a Dutch hacker decided to use port scanning to find iPhones with open SSH ports and default root passwords. He wrote a little program that would change the wallpaper to look as though a somewhat official-looking warning box had opened, which warned the user about running open SSH ports with default passwords. An Australian hacker then used the technique to create a worm that was self-replicating

This version, iKee.A, replaced the wallpaper with a picture of Rick Astley—a sort of graphic rickroll. Then someone modified the iKee.A code to create the malicious iKee.B (aka iPhone/Privacy.A and iBotnet.A). It was initially designed to copy personal data and upload it to a server. However, at one point it was configured to use DNS cache poisoning to redirect ING banking customers to a phishing site and steal logins and passwords.

Analysis by SRI International researchers revealed that though iKee.B was fairly simple and took up very little memory, it was sophisticated enough to check in with a "command & control" (C&C) server every five minutes. When the script (perhaps appropriately named "duh") accessed the server, the server could then push any additional instructions, in the form of a new script, that a hacker wanted the phone to run. Part of its execution also involved periodically scanning for other iPhones either on a WiFi connection or on known carrier IP ranges. When an iPhone was found with SSH running, it would attempt to log in with default root passwords and install itself on the newly discovered vulnerable iPhone.

"Regardless of its size, we find the iKee.B botnet an interesting sample because it offers insights into the design of modern smartphone botnets," according to SRI researchers. "Perhaps the most immediate observation regarding the iKee.B botnet is that it has a very simple yet flexible code base, which given its target platform makes tremendous sense. While its code base is small, all the key functionality that we have grown to expect of PC botnets is also present in iKee.B: it can self-propagate, it carries a malicious payload (data exfiltration), and it periodically probes its C&C for new control instructions."

Though this example can only infect a small subset of iPhone users, extending the software to rely on a future iPhone OS exploit, or to merely infect other smartphone platforms that don't have the same security measures as the iPhone, is relatively trivial. This has the researchers worried that smartphones could quickly become an important target for malware writers, since we continue to entrust so much personal data to the devices. "A quick survey of which apps [are] installed on a victim's [phone] will provide a malware author with a highly targeted list of what web accounts and services the user employs, and [would allow] the malware to target those accounts and services directly by focusing on infiltrating those apps," the report concluded.

Channel Ars Technica