Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

First iPhone [Jailbroken] worm discovered - ikee changes wallpaper to Rick Astley photo
Sophos Security ^ | 10/8/2009 | Graham Cluley

Posted on 11/08/2009 1:53:14 PM PST by Swordmaker

First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo

Message from the ikee iPhone worm
Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

The worm, which could have spread to other countries although we have no confirmed reports outside Australia, is capable of breaking into jailbroken iPhones if their owners have not changed the default password after installing SSH. Once in place, the worm appears to attempt to find other iPhones on the mobile phone network that are similarly vulnerable, and installs itself again

On each installation, the worm - written by a hacker calling themselves "ikex" - changes the lock background wallpaper to an image of Rick Astley with the message:

ikee is never going to give you up

What's clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine". In fact, it would be a good idea if you didn't use a dictionary word at all.

The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

Wallpaper of Rick Astley displayed by the ikee iPhone worm

SophosLabs is analysing the worm's code, which suggests that at least four variants have been written so far. One of the attributes of the latest variant (labelled the "D" version) is that it tries to hide its presence by using a filepath suggestive of the Cydia application.

The source code is littered with comments from the author suggesting the worm has been written as an experiment. One of the comments berates affected users for not following instructions when installing SSH, because if they had changed the default password the worm would not have been able to infect them.

ikee worm code

Presently it appears that the worm does nothing more malicious than spread and change the infected user's lock screen wallpaper. However, that doesn't mean that attacks like this can be considered harmless.

Accessing someone else's computing device and changing their data without permission is an offence in many countries - and just as with graffiti there is a cost involved in cleaning-up affected iPhones.
Other inquisitive hackers may also be tempted to experiment once they read about the world's first iPhone worm. Furthermore, a more malicious hacker could take the code written by ikee and adapt it to have a more sinister payload.

iPhone users may rush into jailbreaking their iPhones in order to add functionality that Apple may have denied to them, but if they do so carelessly they may also risk their iPhone becoming the target of a hacker.

My prediction is that we may see more attacks like this in the future. Indeed, only last week we saw hacked iPhones in the Netherlands being held hostage for 5 Euros.

Who wrote the ikee iPhone worm?

The source code of the worm says at its start:

/ "ikee virus" by ikex
/ Revision: 10 (Variant D)

A quick trawl of the Whirlpool forum where users are reporting that their iPhones are unexpectedly displaying an image of Rick Astley, reveals a user calling themselves "ike_x".

According to ike_x's user profile on the Whirlpool forum his nearest city is Sydney, Australia . Further searching on the internet reveals other pages seemingly related to ike_x of Wollongong, New South Wales, using the name "Ash" or "Ashley Towns". For instance, here is a MySpace page and this appears to be Ash/ikex on Twitter.

The worm's author appears to have realised that people might be interested to learn why he wrote the worm, and posted this explanation inside the code:

Why?: Boredom, because i found it so stupid the fact that on my initial scan of my 3G optus range i found 27 hosts running SSH daemons, i could access 26 of them with root:alpine. Doesn't anyone RTFM anymore?

There is a certain irony in the notion that a hacker who says he was trying to expose sloppy security by the owners of jailbroken iPhones has done such a bad job of covering his own tracks..

Source of image of affected iPhone: Batman from the Whirlpool forums.



TOPICS: Business/Economy; Computers/Internet; Conspiracy
KEYWORDS: ilovebillgates; iwanthim; iwanthimbad; microsoftfanboys

1 posted on 11/08/2009 1:53:15 PM PST by Swordmaker
[ Post Reply | Private Reply | View Replies]

To: ~Kim4VRWC's~; 1234; 50mm; 6SJ7; Abundy; Action-America; acoulterfan; Airwinger; Aliska; altair; ...
First iPhone Worm discovered... requires that you Jailbreak your iPhone so you can get infected... PING!


Jailbroken iPhone Malware Ping!

If you want on or off the Mac Ping List, Freepmail me.

2 posted on 11/08/2009 1:54:30 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker; ShadowAce; fieldmarshaldj

http://www.youtube.com/watch?v=ZOU8GIRUd_g


3 posted on 11/08/2009 1:56:37 PM PST by Perdogg (Sarah Palin-Jim DeMint 2012 - Liz Cheney for Sec of State - Duncan Hunter SecDef)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Swordmaker
> The worm will not affect users who have not jailbroken their iPhones or who have not installed SSH.

So in other words this will have the potential of affecting the minute percentage of users who have jailbroken, AND who installed SSH, AND who were smart enough to do so but were nevertheless stupid enough to keep a default password that is a dictionary word.

Doesn't sound like the makings of a botnet to me... any estimates of how many phones hit so far?

Why people can't take the simplest precautions is beyond me. I agree with the worm author on that point:

> Doesn't anyone RTFM anymore?
Ummm, that would be "no".
4 posted on 11/08/2009 2:02:22 PM PST by dayglored (Listen, strange women lying in ponds distributing swords is no basis for a system of government!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Perdogg

What did Rick Astley ever do to anybody??


5 posted on 11/08/2009 2:06:14 PM PST by karatemom (Sweet, golden November !)
[ Post Reply | Private Reply | To 3 | View Replies]

To: karatemom

Really, He’s loyal, faithful, and true.

In fact, he’s never gonna give you up,
Never gonna let you down,
Never gonna run around and desert you,
Never gonna make you cry,
Never gonna say goodbye,
Never gonna tell a lie and hurt you. . .


6 posted on 11/08/2009 2:10:12 PM PST by Salgak (Acme Lasers presents: The Energizer Border: I dare you to try and cross it. . .)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Swordmaker
Apple iPhone owners in Australia have reported that their smartphones have been infected by a worm that has changed their wallpaper to an image of 1980s pop crooner Rick Astley.

THOSE B*STARDS!!

7 posted on 11/08/2009 2:10:24 PM PST by Tribune7 (I am Joe Wilson!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Salgak

I know, man, I’m feelin’ it! And with that red hair and all he is so darned cute.
How about a truly annoying singer? Like say..???


8 posted on 11/08/2009 2:13:30 PM PST by karatemom (Sweet, golden November !)
[ Post Reply | Private Reply | To 6 | View Replies]

To: karatemom
How about a truly annoying singer? Like say..???

Whitney Houston, Cindy Lauper (twoo colors)?
9 posted on 11/08/2009 3:43:09 PM PST by Mister Muggles (Seattle: a city full of liberal men with vaginas.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: Swordmaker
What's clear is that if you have jailbroken your iPhone or iPod Touch, and installed SSH, then you must always change your root user password to something different than the default, "alpine".
Heh heh...
10 posted on 11/08/2009 5:11:23 PM PST by SunkenCiv (https://secure.freerepublic.com/donate/__Since Jan 3, 2004__Profile updated Monday, January 12, 2009)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker

Rickrolled!


11 posted on 11/09/2009 9:33:20 AM PST by Mad-Margaret
[ Post Reply | Private Reply | To 2 | View Replies]

To: Perdogg

http://www.youtube.com/watch?v=ZOU8GIRUd_g

Ugh! That’s Ghastly!


12 posted on 11/09/2009 3:41:11 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Perdogg

http://www.youtube.com/watch?v=ZOU8GIRUd_g

Ugh! That’s Ghastly!


13 posted on 11/09/2009 3:41:19 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Swordmaker

That must have been so ghastly it was worth repeating... at least FR thought so.


14 posted on 11/09/2009 4:17:10 PM PST by Swordmaker (Remember, the proper pronunciation of IE is "AAAAIIIIIEEEEEEE!)
[ Post Reply | Private Reply | To 13 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson