Malicious New iPhone Worm Attacks Jailbroken Phones
Observers say that while the iPhone worm only attacks jailbroken iPhone and iPod Touches, it uses command-and-control techniques like a PC botnet would and, when triggered, can redirect customers to a log-in screen for ING bank accounts and potentially steal passwords.
According to Sophos and other sources, the worm compromises the jailbroken iPhone, then replaces the phone's SSH remote login software, changes the root password and examines the iPhone's SMS database, then hunts for other vulnerable phones on the local network. The worm hunts jailbroken iPhones on a number of ISPs, including Australia's Optus, the Netherlands' UPC, and T-Mobile in several countries.
"It configures two startup scripts, one to execute the worm on boot-up, and the other to create a connection to a Lithuanian server (HTTP) to upload stolen data and cede control to the bot master," wrote Sophos' Chester Wisniewski on a Sophos company blog Saturday.
Sophos and other security specialists picked up on reports from a Dutch ISP on a large amount of data traffic related to the worm. A translated post from a Dutch security blog, Secure.nl, posted to Slashdot and other news and news aggregator sites over the weekend, was first to describe some of the worm's characteristics.
One way to spot the worm on an iPhone, according to Sophos, is an extremely low battery life -- the worm is said to drain battery life rapidly because it's doing so much network activity at once. Users with jailbroken iPhones affected by the worm should restore Apple firmware in iTunes, Sophos recommended, to wipe their phones clean.
The new worm comes on the heels of another recent Apple iPhone worm, which targeted jailbroken iPhones as well and "Rickrolled" them, posting a picture of British pop star Rick Astley to the iPhone's wallpaper.