Home / malware Worm:iPhoneOS/Ikee.B
First posted on 25 November 2009.
Source: SecurityHomeAliases :
There are no other names known for Worm:iPhoneOS/Ikee.B.
Explanation :
A standalone malicious program which uses computer or network resources to make complete copies of itself. May include code or other malware to damage both the system and the network.
Additional DetailsWorm:iPhoneOS/Ikee.B is the second variant of the Ikee worm and the first with a clearly malicious attack.
This variant is the first iPhone worm to be created with a distinct financial motivation, as it searches for and forwards financially-sensitive information stored on the iPhone. Fortunately, the control server which receives the stolen information has been taken offline.
Users in a number of countries, including the Netherlands and Australia, are affected by this worm.
Infection
IKee.B only infects iPhones if:
  • The device is 'jailbroken' - hacked by the user in order to install software that hasn't been approved by Apple   • AND an unapproved Secured Shell (SSH) application, which allows remote access to the device, has been installed   • AND the default SSH password for the 'root' user has not been changed from the factory default ('alpine')
Users who have not jailbroken their iPhones, do have have an SSH application installed, or have changed the default SSH password are not affected.
Execution
When active on the iPhone, Ikee.B does the following:
  • Changes the root password from 'alpine' to 'ohshit'   • Connects to a control server at 92.61.38.16 via HTTP and downloads additional components
  • Communicates banking information contained in SMS messages stored on the device to the control server.
Propagation
While active, the worm attempts to scan for other vulnerable iPhones over the Wi-Fi or 3G networks. If found, the worm proceeds to infect them.Last update 25 November 2009
