[nsp-sec] Possibly a new Jailbroken iPhone worm?

Kevin Oberman oberman at es.net
Wed Nov 18 14:17:07 EST 2009 

> From: "Scott A. McIntyre" <scott at xs4all.net>
> Date: Wed, 18 Nov 2009 13:51:09 +0100
> Sender: nsp-security-bounces at puck.nether.net
> 
> ----------- nsp-security Confidential --------
> 
> All,
> 
> Over the last two days I've had a huge rise of cases of customers who were SSH scanning T-Mobile Netherlands IP ranges (and possibly others, but, that's what triggered my attention).  We've only heard back from a handful of these customers so far, but in every case they were running jailbroken iPhones, without having disabled the jailbreak-installed OpenSSHD, or changed the password.
> 
> To my knowledge there are three main Jailbroken-SSH attacks going around:
> 
> 1)  Dutch bozo demanding 5 euros to re-enable a phone -- he changed his mind and posted instructions on how to remove the lock-screen he set up
> 2)  "ikee" the Rickrolling one.  Prank, mostly harmless.
> 3)  iPhone/Privacy.A mentioned by Itego.  This seems to mostly be a Python tool to hack a phone and extract data, but not an automated worm.
> 
> It seems possible, and eventually quite highly probable, that more variants of this type of behaviour will be out there.
> 
> None of our customers have Rick Astley on their lock-screen, nor the "pay money" lock screen, but the behaviour from the phone is most definitely wormlike.  Customers also reported serious battery drainage, likely due to the constant 3G/gprs/wifi activity.
> 
> A few of them took this battery drain as a sign to do a full-restore, which wiped out whatever malware was running.
> 
> I'm still trying to find a customer who can grab ps output or so, but so far none of those affected have had the adv-cmds Cydia package installed, and handholding through Unix command line usage is a bit more than they're up for.    Housecalls are also being offered, but...
> 
> Anyway, those of you who operate mobile networks may want to specifically look for new behaviour heading towards 22/tcp...

You might want to look at
<http://bsdly.blogspot.com/2009/11/rickrolled-get-ready-for-hail-mary.html>
I can't vouch for its accuracy as I have no iPhone at all, but the mere
report could have triggered an up-tick in scans.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the nsp-security mailing list