No. 1 Story

ACCC clears Optus to scrap HFC network and use NBN instead

The ACCC has cleared, provisionally, the proposed deal between Optus and NBN Co under which Optus is to be paid around $800m to shut down its HFC network and transfer customers onto the NBN. read more

Related Articles

New, iPhone, virus, Duh
Launching new testing products and services
- sponsored editorial - The Trade Show at the Software & Systems...
Read More
Planit tests the water in New Zealand
- sponsored editorial - Australian independent software testing and training organisation, Planit,...
Read More
New year's resolution: Beware SMS phishing
SMS phishing is likely to be one of the leading security issues of 2007...
Read More
iPod Windows virus not correctly named says Sophos
Security vendor Sophos claims that presently Apple is not displaying the correct name for...
Read More
New zero day attack hits Microsoft PowerPoint
Microsoft has warned users of new zero-day attacks that exploit a vulnerability in Microsoft...
Read More

More From

Popular Threads

New iPhone virus. Duh!

David Heath
Monday, 23 November 2009 15:00

Business IT - Security

View Comments
The latest iPhone virus has arrived.  This one adds the iPhone to a botnet and changes that pesky default SSH password.

Ikee arrived a couple of weeks ago to much fanfare; and very little malice.  However, the Naughty Lads of the Internet soon found a way to make better use of Ashley Towns' work.  Now, as predicted, they've gone one step further.

The latest version, called Duh, originated in The Netherlands and (in addition to invading your iPhone without permission) generously adds your phone to a Lithuanian-based botnet (well, the home IP address of 92.61.38.16 appears to be there).  Your iPhone is now a zombie, ready to do the bidding of whoever owns the command-and-control server.

As yet, there is no evidence of activation; but that won't last long.  Expect your usage charges to rise enormously. 

Furthermore, Duh also changes that feeble SSH password (you know, that Apple-provided password that has never been changed?).  The virus doesn't care what the plain-text version of the new password is, according to research by Sophos' Labs, it simply copies the new password hash over the top of the original password hash.  At no time is the new password "in the clear."

This means that the new password is known to the attackers, but not to the victims.

Enter the "knight in shining armour."  Or in the case of Sophos (who have already delved into this latest bucket of scum), a knight in shining feathers.  Paul Ducklin, Head of Technology at Sophos in Sydney (known universally as Duck), writes in his blog that after some careful analysis, "Thanks, however, to John the Ripper, I can tell you that the new password is: 'ohshit'."

Ducklin continues, "So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password 'alpine' but which is now inaccessible, try 'ohshit' as your root password. If you get in, you are almost certainly infected with the Duh virus.

"Perhaps, in fact, Duh is a good name for this virus. It will only infect those who escaped Ikee infection (since those phones would no longer have SSH active for the new virus to break in) but still didn't bother to change their root password away from Apple's feeble default root password of 'alpine'."

In case you're wondering, what hasn't previously been reported by iTWire is that Ikee also disabled SSH as part of the infection.

"Don't have an 'ohshit' moment, says Ducklin.  "Don't give jailbreaking a bad reputation. Change those passwords now. (Duh changes any password which is currently 'alpine', not just the root password. So fix any user accounts as well.)"

Oh, and remember, the Ipod Touch is still just as susceptible.

Our Services for Technology Professionals

E - mail News SMS Headlines Desktop Alerts News Feeds Job Alerts Technology Events Press-Releases