[nsp-sec] Possibly a new Jailbroken iPhone worm?

[Scott A. McIntyre]

All,

Over the last two days I've had a huge rise of cases of customers who were SSH scanning T-Mobile Netherlands IP ranges (and possibly others, but, that's what triggered my attention).  We've only heard back from a handful of these customers so far, but in every case they were running jailbroken iPhones, without having disabled the jailbreak-installed OpenSSHD, or changed the password.

To my knowledge there are three main Jailbroken-SSH attacks going around:

1)  Dutch bozo demanding 5 euros to re-enable a phone -- he changed his mind and posted instructions on how to remove the lock-screen he set up
2)  "ikee" the Rickrolling one.  Prank, mostly harmless.
3)  iPhone/Privacy.A mentioned by Itego.  This seems to mostly be a Python tool to hack a phone and extract data, but not an automated worm.

It seems possible, and eventually quite highly probable, that more variants of this type of behaviour will be out there.

None of our customers have Rick Astley on their lock-screen, nor the "pay money" lock screen, but the behaviour from the phone is most definitely wormlike.  Customers also reported serious battery drainage, likely due to the constant 3G/gprs/wifi activity.

A few of them took this battery drain as a sign to do a full-restore, which wiped out whatever malware was running.

I'm still trying to find a customer who can grab ps output or so, but so far none of those affected have had the adv-cmds Cydia package installed, and handholding through Unix command line usage is a bit more than they're up for.    Housecalls are also being offered, but...

Anyway, those of you who operate mobile networks may want to specifically look for new behaviour heading towards 22/tcp...

Best regards,

Scott A. McIntyre
XS4ALL Internet B.V.