As you guys may know there has been a lot of talk about this worm going around for people over in Australia. This worm changes your iphone’s wallpaper if using winterboard. The one on the left is the image that is used as a wallpaper/background and the one on the right is the image that is used when your on a phone call.

The only way your iphone can be infected is if you have open ssh installed and you haven’t changed your default ssh password. To sum it all up this is how it got spread, you can also read more to see the full interview on the creator and his thoughts

• Worm creator connects to wireless network with infected iphone
• You or someone else connects to same wireless network and you have openssh installed and default pass
• The worm gets into your iphone from worm creator and you know have the worm
• You leave without knowing of the worm and connect to another wireless network with your infected iphone
• Someone else that has openssh installed with default pass connects to same wireless network and get infected
• The process keeps going and going..

Be safe everyone and change your default password.

[09:02] <JD> Hi ikee Thanks for joining me
[09:02] <ikee> nps
[09:03] <JD> Now, as you’re well aware, you wrote a virus that is infecting many iPhones in Australia. I guess the real question to start with is why?
[09:04] <ikee> First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
[09:05] <ikee> Secondly i was quite amazed by the number of people who didn’t RTFM and change their default passwords.
[09:07] <JD> How far did you expect it to spread, exactly?
[09:08] <ikee> Well i didn’t think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away
[09:11] <JD> Are you aware that it has even started to replicate itself overseas?
[09:13] <ikee> I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra’s IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT’d) then a random 20 IP ranges. I’m guessing a few phones hit a range that another vulnerable phone was on.
[09:14] <ikee> (From another country)
[09:15] <JD> Well that was my next question: Why does it only seem to be hitting Optus here and Overseas (I was presuming from screenshots I’ve seen)… So you’re saying the Optus network is more vulnerable due to it not using NAT?
[09:17] <ikee> I don’t think it was an Optus fault (Being an Optus user I quite like the fact i can access my iPhone services from the outside world), I think it was mainly the fault of people being to lazy to change their passwords (It only takes a couple of seconds guys) and I hope this taught a few people that.
[09:18] <JD> So do you know exactly how many people are currently infected with the “ikee virus”?
[09:20] <ikee> I can only confirm how many my phone infected alone, which was 100+ phones. I think most of them fixed it (AND I’M HOPING THEY CHANGED THEIR PASSWORDS.)
[09:21] <JD> So your major defense seems to be that people left themselves vulnerable, Do you steal stuff from people’s houses if they leave the backdoor open?
[09:24] <ikee> I’ll answer your question with two questions, Have you ever used unprotected Wifi? and Technically I did not steal anything, have you ever littered on someone else’s property? (Smokers will definitely associate )
[09:25] <JD> Ok, I suppose I can personally admit to both of them, but it seems alot more to me like vandalism than littering, which isn’t something I would do
[09:27] <ikee> Personally I would class littering as vandalism (They definitely don’t want your rubbish there). I admit I probably pissed of a few people, but it was all in good fun (well ok for me anyway)
[09:30] <JD> So that explains why you decided to use Rick Astley. In my research, I’ve been reading about a similar virus (it seems) that contains a picture of an ‘asian child’ – I havn’t seen screenshots of this, but that’s how it is described. Are you also responsible for the “Asian Child virus”?
[09:32] <ikee> Ahh that was a quirk of my bad coding, the ‘virus’ itself has 4 variations and the first variation would resend its LockBackground.jpg to the victim. I did not comprehend that the infector might have not rebooted their phone after changing the LockBackground to something else (Causing them to send their changed lockbackground instead of Mr Astley)
[09:36] <JD> So it’s the same virus, but now containing a picture of someone’s loved one?
[09:37] <ikee> Yeah, that was definitely not the intended effect.
[09:39] <JD> Are you aware of the possible legal consequences of this (the ikee virus)? Are you concerned?
[09:40] <ikee> I’d like to think I’m aware, and also I highly doubt I’m in any real trouble (So no not concerned)
[09:43] <JD> James01 on Whirlpool asks: at least one person has reported being affected without a jailbreak – seems unlikely given the nature of the phone and what I have garned about the “virus” – is this possible, or are the reports unreliable/mistaken?
[09:44] <ikee> It only affects jailbroken phones, so people probably just got a little confused
[09:45] <JD> vanquish777 on Whirlpool says: What I want to know is, how did I get infected when I had SSH toggled off
[09:46] <ikee> You didn’t , My guess is you had it on and when the ‘virus’ hit, it disabled sshd so when you checked it afterwards it appeared to be off
[09:47] <JD> Which reminds me, many people have said they are no longer able to disable SSH, is this intended to make sure you can do more damage to users?
[09:50] <ikee> This was a hard bit for me to do, until i hit this the virus was not destructive at all. My first intention was to change the root/mobile password to random strings, then embed the strings into the LockBackground. Unfortunately passwd uses a tty (and not stdin) for its new password:request (similar to ssh logins, which is why you might find sshpass in /bin/, i had to port it) so to stop the phone getting infected over and over again (and
[09:50] <ikee> someone else catching on and having mischief with peoples phones) I removed SSHD (cydia reinstall will rememdy the problem)
[09:51] <ikee> (Cydia reinstall of SSH not reinstall Cydia itself)
[09:53] <JD> So you’re saying that the only harm this virus causes is the removal of the SSH Daemon, which effectively, disables the initial problem?
[09:53] <ikee> Well that and the pretty background yes
[09:54] <JD> You mentioned that there are four versions/variants, what are the differences between them?
[09:55] <ikee> Variants A-C were quite similar and the ones most people have bought up. Variant D is fair bit different, it stores its files in a completely different place and hides itself a lot more (No random plists in LaunchDaemons)
[09:56] <JD> So you’re saying that the newest variant is more hidden, is it more malicious?
[09:57] <ikee> It is a lot more hidden, a think most phones tend to be more secured now so it should die pretty fast. It is a little more malicious it tampers with some Cydia files.
[10:01] <JD> Do Android users risk being infected? I’m guessing that the virus would only log in as root:alpine (the default root username and password for the iPhone OS IIRC)
[10:02] <ikee> AFAIK no unless a user decided to use the same passwords, Although there is a weird quirk I read about dropbear in Android allowing any password (A bug with libcrypt I believe) but I could be very wrong.
[10:03] <ikee> But even if an android phone was attacked the platform differences would not allow the code to be run
[10:04] <JD> Just out of curiousity, what do you call what i’ve named the “ikee virus”?
[10:05] <ikee> Its in a folder called POC-iWorm (Proof Of Concept) but I never named it (ikee virus works!)
[10:09] <JD> You yesterday agreed to send me the source code (and removal instructions), what variant will it contain?
[10:10] <ikee> C/D whatever version you want
[10:11] <JD> How about all four? I’ll obviously be placing them online – probably Google Code or similar
[10:13] <ikee> A-C was updated so I don’t have the first 2, I forked D from C. (I don’t know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)
[10:14] <JD> Perhaps, But it has become quite clear that there’s a load of people that are unsecure, and if anyone wants to do anything bad enough, they are already going to know how.
[10:15] <JD> I guess i’m hoping that the jailbreak software will soon have a “enter new root password” prompt for those users that are un-aware.
[10:15] <ikee> I’ll leave the choice up to you
[10:15] <ikee> I’d love to see that
[10:16] <ikee> or even a random password generated and displayed for the user to write down
[10:17] <JD> Yes, it would be very good. I had an iPod Touch a while ago, which I “jailbroke” – admittedly I didn’t change the default password. I guess i’m just glad it’s not me.
[10:17] <JD> Do you plan on making any further variants? If so, why?
[10:18] <ikee> No, I think the point has been made
[10:18] <JD> Have you developed anything PRODUCTIVE in the iPhone world?
[10:21] <ikee> I’m not too sure what others would class productive. I do not own a MAC or run OSX (Using a linux cross compile toolchain) so it makes it abit of a challenge to develop any applications utilising the UI (I have tho -.-). I think the best program ive developed for it for me was a remote debugging library that sends debug information over the network (Using MCAST)
[10:23] <JD> Do you have anything further to add (I’m having a mental blank on questions to ask right now)
[10:26] <ikee> I hope I did not piss off many people, this was a very simple problem and has an even simplier solution. I thought it was quite funny and I hope others did too
[10:27] <JD> You mentioned infecting only three iPhones to being with, when did that happen?
[10:28] <ikee> Around 4am November 6th (Yeah I have no life)
[10:31] <JD> To confirm, other than replicating itself, adding the picture of Rick Astley, and removing the SSH Daemon, are we likely to find anything else it does?
[10:32] <ikee> Nothing, and if you’re releasing the source code people will be able to see that
[10:33] <JD> Can you please explain to me, how an infected user would remove the different versions correctly?
[10:33] <JD> by correctly, I mean completely.
[10:33] <ikee> Sure, variants A-C store files in these directories
[10:34] <ikee> /bin/poc-bbot
[10:34] <ikee> /bin/sshpass
[10:34] <ikee> /var/log/youcanbeclosertogod.jpg
[10:34] <ikee> /var/mobile/LockBackground.jpg
[10:35] <ikee> /System/Library/LaunchDaemons/com.ikey.bbot.plist
[10:35] <ikee> /var/lock/bbot.lock
[10:35] <ikee> using an rm (in SSH or mobile-terminal on those files will remove it)
[10:36] <ikee> then reboot the phone, change your password and reinstall SSH
[10:36] <ikee> For variant D its abit different
[10:36] <ikee> The locations are
[10:37] <ikee> /usr/libexec/cydia/startup
[10:37] <ikee> /usr/libexec/cydia/startup.so
[10:37] <ikee> /usr/libexec/cydia/startup-helper
[10:37] <ikee> /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
[10:38] <ikee> Of course cydia used these files previously so you may need to reinstall it after deleting this files
[10:38] <ikee> *these
[10:38] <JD> So the D variant overwrites system files?
[10:39] <ikee> Overwrits cydia’s files
[10:39] <ikee> *Overwrites
[10:39] <JD> Sorry, I’m not an expert at the iPhone OS
[10:39] <ikee> Neither
[10:40] <JD> So none of your versions do contain any password changing commands?
[10:40] <JD> I mean, so when I provide uninstall instructions, I can tell them to use alpine as the password ?
[10:41] <ikee> None of the code changes passwords
[10:42] <JD> Thanks for your time ikee, and I really hope you do get into developing things that are productive sometime soon.
[10:42] <ikee> me too and no problems
[10:42] <JD> Perhaps on the Android platform (Yes, I know, I’m a fanboy)
[10:42] <ikee> I just downloaded the x86 iso, so maybe
[10:43] <JD> I’ll ask you more about that after I end this logging session, Cheers
[10:43] <ikee> Ciaoo

Thanks to jd over at http://blog.jeltel.com.au for this chat.

Tags: default passwords, ikee, iphones, James, Mr Astley, password, Rick Astley, virus, wallpaper background

Leave a Reply

Name (required)

Mail (will not be published) (required)

Website