A malicious Apple iPhone worm — designed to turn jail-broken iPhones into bots — proves, yet again, that cybercriminal are as predictable as Seattle rain.

ThisÃ‚Â iPhone worm appeared over the weekend, arriving less than two weeks after a 21-year-old Australian researcher, Ashley Towns, released the Ikee worm — the prototype for this new type of attack.

You may recall Towns cleverly changed the wall paper of iPhones he hacked to a picture of 80s singer Rick Astley.

People crack open the locks on their iPhone operating system — referred to as jailbreaking — to subvert Apple’s obsessiveness about permitting only AT&T phone service and corporate-approved apps. Security firm Intego estimates that 6% to 8% of iPhones are jailbroken.

Towns, the young Australian hacker, said he launched Ikee to underscore how most iPhone jailbreakers were too lazy to change the default system password, making their iPhones trivial to hack.

This brings to mind the MySpace Samy worm, initially released by Samy Kamkar as a ploy to get his girlfriend’s attention. Kamkar’s expoloit wasÃ‚Â quickly incorporated into profit-driven attacks.

Worm name: “Duh”

Similarly, the iPhone worm released this weekend is much more insidious than the Ikee worm. It installs a botnet management program, giving the intruder the ability to use the iPhone just like they would a botted Windows PC. Bad guys use botnets to spread spam, steal data and hijack online accounts. The worm also changes the default password to make it harder for users to regain control. Sophos researcher Paul Ducklin discovered that the default password was changed from “alpine” to “ohshit.”

Says Ducklin: “I don’t know whether we have an official name for this worm yet, but I’ll refer to it as Duh, because that is the name which the virus itself gives to the component which strongly differentiates it from the earlier Ikee worm. “Duh” is the part which reports back to Cybercrime Control (at IP number 92.61.38.16, which appears to be in Lithuania, that you have been infected, and then regularly checks back for commands to download and run later. That makes this virus a true bot or zombie.”

Russian routlette

Graham Cluley, Sophos senior analyst, notes that there has been a long history of “proof of concept” hacks evolving quickly into more malicious attacks.

“The earlier Ikee worm wasn’t written with an obvious financial motivation,” says Cluely. “However, there is no doubt that the author of Ikee helped the creators of this worm by releasing his source code, giving them a template upon which to create their own more malicious attack.”

Owners of jailbroken iPhones would be wise to also change their default root password — if the worm hasn’t already done it for them.

“Leaving it in its default state is playing Russian Roulette with your data,” says Cluely. “There will undoubtedly more attacks attempting to take advantage of hackers gambling with the security of their jailbroken iPhone.”

Peter James, spokesperson for Intego, concurs: “We are particularly worried that the Rick Astley worm’s creator, having posted the code on-line, has made it that much easier for the bad guys to exploit the weaknesses in jailbroken iPhones,” says James. “It’s very possible that we’ll see more such threats in the future.”

–Byron Acohido

November 23rd, 2009 | Imminent threats | Top Stories | Uncategorized