Intego (http://www.intego.com), the Macintosh security specialist,
says that, for the third time this month, malware targeting the
iPhone has surfaced.
This new malware, that Intego calls iBotnet.A, is, according to the
company, “by far the most sophisticated iPhone malware yet: it is not
only a worm, capable of spreading across a network, but also hijacks
iPhones or iPod touches for use in a botnet.” Intego says it’s
important to note that standard, non-jailbroken iPhones or iPod
touches are not at risk.
The company adds that it’s extremely dangerous to jailbreak an iPhone
because of the vulnerabilities that this process creates. (Estimates
suggest that 6-8% of iPhones are jailbroken.) Jailbroken iPhones at
risk are those where ssh is installed, and where the default password
has not been changed.
This worm starts by searching its local network, as well as a number
of IP address ranges, for available devices to infect. The address
ranges it scans include those of ISPs in the Netherlands, Portugal,
Hungary, Australia, and if an appropriately unprotected iPhone is
found, the worm can copy itself to these devices.
When active on an iPhone, the iBotnet worm changes the root password
for the device (from “alpine” to “ohshit”), in order to prevent users
from later changing that password themselves. It then connects to a
server in Lithuania, from which it downloads new files and data, and
to which it sends data recovered from the infected iPhone. The worm
sends both network information about the iPhone and SMSs to the
remote server.
It’s capable of downloading data, including executables that it uses
to run and carry out its actions, as well as new files, providing
botnet capabilities to infected devices. (A botnet is a network of
infected computers or devices that can be controlled by hackers to
attack other computers, serve malware, send spam, serve pages or
images, and much more.)
The worm also gives each infected iPhone a unique identifier; this to
be able to reconnect easily to any iPhones on which valuable
information is found, but also to ensure that only infected iPhones
can connect to the server. Finally, it changes an entry in the
iPhones /etc/hosts file for a Dutch bank web site, to lead Dutch
users who connect to this bank site to a bogus site, presumable to
harvest user names and passwords.
Intego recommends you use its own VirusBarrier X5, which detects and
eradicates this malware, which it identifies it as iPhone/iBotnet.A,
on iPhones that it can scan from Macs with VirusBarrier X5 installed,
with its virus definitions dated Nov. 22, 2009 or later. The only
other way to remove this malware is to totally wipe and restore the
iPhone using iTunes.