Another,iPhone,worm,and,this,t computer Another iPhone worm - and this time it's malicious
Gone are those times when the companies and the organisations didn't need a hi-tech system to handle them. Owing to the considerable increase in the business sector and thus, an enormous increase in the complexity of the organisational struc ----------------------------------------------------------Permission is granted for the below article to forward,reprint, distribute, use for ezine, newsletter, website,offer as free bonus or part of a product for sale as longas no changes a
A Dutch ISP has reported unusual amounts of data trafficrelated to the worm, which was the first indication that something was wrong.Slashdotposted a link to a translation of a Dutch security blog post with more details.Thisworm, like the others, only attacks jailbroken iPhone and iPod Touch devices.Thereare some significant differences from the 5 Euro scam, the most notable ofwhich is that this worm uses command-and-control like a traditional PC botnet.Itconfigures two startup scripts, one to execute the worm on boot-up, and theother to create a connection to a Lithuanian server (HTTP) to upload stolendata and cede control to the bot master.Security.nl also says that the wormchanges the root password from the default of alpine that Apple set in thefactory firmware, making it more difficult for users to secure their devices.Therecommended method to remove this malware from your iPhone is to restore theApple factory firmware using iTunes.This worm attacks IP ranges from a largerrange of ISPs, including UPC (Netherlands), Optus (Australia), and T-Mobile(Many).When an infected device is hooked up to a WiFi connection, the worm canspread more quickly to more IP addresses than on a typical 3G connection.Onesymptom noted by security.nl is that battery life is very, very short when thedevice is connected to WiFi, because the worm is generating so much networkactivity.Each infected device is assigned a unique ID number, which allows theattackers to further investigate a phone found to have interesting content.Thiscould lead to significant data theft if a sensitive phone has been jailbroken.Theworm could be related to Banker Trojans as well, as it appears to look formTANs.These are two-factor authentication systems that use SMS.When you attemptto log in to your banks website, the bank sends you an SMS with a one-timepassword, which you then enter on their website to log in to your account.Ifyou have jailbroken your iPhone, I recommend restoring it to the currentApple-supplied firmware.If you want freedom of application choice, perhaps youshould consider an Android-based phone rather than hacking your device into apotentially insecure state.IT Administrators concerned about compromiseddevices on their networks would need to do a physical spot check for jailbrokenphones.It does not appear that iPhones are able to report back any sort ofstatus information, so there is no way to securely use them in an enterpriseenvironment.If an infected phone is also connected to your MS Exchange, WiFi,or VPN environment, all of your confidential data could be at risk.This furtherdemonstrates that iPhones are not ready for the business environment.Apple hasmade a great effort at preventing people from cracking into their software andunlocking/jailbreaking their devices, but where there is a will, there willalways be a way.UPDATE: Mikko Hypponen is reporting the IP address the wormuses for C&C is 92.61.38.16.If you are mobile operator you may wish toblock/monitor activity trying to communicate with this IP address.UPDATE 2:Paul Ducklin has discovered the new root password set by this worm to be ohshit.Formore information see Pauls blog(http://www.sophos.com/blogs/duck/g/2009/11/23/iphone-worm-password/).UPDATE 3:Now that Paul has recovered the password you do not need to restore Applefirmware.You can follow Pauls clean up instructions(http://www.sophos.com/blogs/duck/g/2009/11/24/clean-up-iphone-worm/)
Another,iPhone,worm,and,this,t