New iPhone virus. Duh!

David Heath
Monday, 23 November 2009 16:00

Business IT - Security

The latest iPhone virus has arrived.  This one adds the iPhone to a botnet and changes that pesky default SSH password.

Ikee arrived a couple of weeks ago to much fanfare; and very little malice.  However, the Naughty Lads of the Internet soon found a way to make better use of Ashley Towns' work.  Now, as predicted, they've gone one step further.

The latest version, called Duh, originated in The Netherlands and (in addition to invading your iPhone without permission) generously adds your phone to a Lithuanian-based botnet (well, the home IP address of 92.61.38.16 appears to be there).  Your iPhone is now a zombie, ready to do the bidding of whoever owns the command-and-control server.

As yet, there is no evidence of activation; but that won't last long.  Expect your usage charges to rise enormously. 

Furthermore, Duh also changes that feeble SSH password (you know, that Apple-provided password that has never been changed?).  The virus doesn't care what the plain-text version of the new password is, according to research by Sophos' Labs, it simply copies the new password hash over the top of the original password hash.  At no time is the new password "in the clear."

This means that the new password is known to the attackers, but not to the victims.

Enter the "knight in shining armour."  Or in the case of Sophos (who have already delved into this latest bucket of scum), a knight in shining feathers.  Paul Ducklin, Head of Technology at Sophos in Sydney (known universally as Duck), writes in his blog that after some careful analysis, "Thanks, however, to John the Ripper, I can tell you that the new password is: 'ohshit'."

Ducklin continues, "So if you have a jailbroken phone running SSH, which you used to be able to log into as root with the password 'alpine' but which is now inaccessible, try 'ohshit' as your root password. If you get in, you are almost certainly infected with the Duh virus.

"Perhaps, in fact, Duh is a good name for this virus. It will only infect those who escaped Ikee infection (since those phones would no longer have SSH active for the new virus to break in) but still didn't bother to change their root password away from Apple's feeble default root password of 'alpine'."

In case you're wondering, what hasn't previously been reported by iTWire is that Ikee also disabled SSH as part of the infection.

"Don't have an 'ohshit' moment, says Ducklin.  "Don't give jailbreaking a bad reputation. Change those passwords now. (Duh changes any password which is currently 'alpine', not just the root password. So fix any user accounts as well.)"

Oh, and remember, the Ipod Touch is still just as susceptible.