In other words, Ikee is being rewarded for creating the first worm for the iPhone which has lead to other worms being created which are more malicious such as the Dutch one which steals the bank details of users who use the ING Dutch bank.

The Ikee worm itself was not malicious as it only changed the background of your device to the face of Rick Astley but the worm was also a show-and-tell for other hackers to start hacking the iPhone.

So far there have been two more worms after Ikee. The first being iPhone/Privacy.A which redirect users to a phishing site when they do online banking on their devices through the dutch bank ING.

The second called iBotnet.A takes over your device and starts using as a Botnet, much like a hacker would take over your computer for a botnet.

However as I have mentioned in all the worm related posts, the fix for the exploit in jailbroken iPhone is very easy. HERE IS A GUIDE TO DO IT.

What do you guys think? Do you think Ikee should be rewarded for what he did? Is it wrong?

The second one, called iPhone/Privacy.A attacked users who did online banking with the Dutch bank ING by redirecting them to a phishing site to try and trick them into giving up their bank details.

This virus, called iBotnet.A is also a malicious one. It has the same purpose as botnets on the computer. Once a device is taken over, the hacker can use it to perform attacks on websites by overloading or other such reasons.

The worms only infect jaibroken iPhones and iPod Touchs which have SSH installed and haven’t changed their SSH passwords.

The worms are starting to spread world wide as they are made to duplicated autmatically. There are reports of the worms in Netherlands, Portugal, Hungary and Australia (where Ikke originated from).

Luckily there is an easy fix. It is simply to change the SSH password for your device. If you have not done this you are VERY LIABLE to worms on your device which could end up with hackers stealing sensitive data such as your credit card details.

I cannot stress enough have important it is that you change you SSH password. Not only are you a victim but you will also be spreading the worm.

We have posted a guide on how to change your SSH password here. If you have not done it, do it now!

This worm is targetting Dutch users who user their devices to do eBanking with the Dutch online bank ING. What it does is redirects the ING login page to a phishing site which then steals your data and eventually, your money.

Again this only affects jailbroken devices who use SSH and haven’t changed their default password from ‘Alpine’.

The solution to this problem is actually very simple. To ensure you are not affected by this worm, Ikee’s worm or any other worms that use this exploit, change the default password of your device. HERE IS A GUIDE.

F-Secure have posted all the information they have on the virus and will keep it updated on this page.

As of now, the hacks have been harmless because they simply changed the background of the device but this exploit has the potential to add worms and viruses to your device which could then be used to infect your computer once you have synced it.

Even Charlie Miller, a very well known cyber security expert, has expressed his worry over the exploit.

As he says Apple have their devices very well protected but once users jailbreak them, these protection become less powerful. He is sure that in the next few months, users who do NOT change their SSH password will be vulnerable to a rising number of attacks targetting jailbroken iPhones.

He STRONGLY recommend you to change your SSH password to make sure this does not happen to you. For a guide on how to do that, go HERE.

How to change the default SSH Password:

For this guide, you are going to need MobileTerminal (download it from Cydia):

1. Open the MobileTerminal Application on your device:
   
2. Type in ’su root’ and click enter:
   
3. It will ask for the password so type in ‘alpine’ which is the default password:
   
4. Type in ‘passwd’ and click enter:
   
5. It will ask for a new password (more than 5 characters) so type it in:
   
6. It wil ask your to retype the password:
   

You have now changed your SSH password and protected your iPhone from the SSH hackers!

This time, it’s a guy called Ikee who spreads the worm and ‘rickrolls’ users by changing their background as well.

Plus we have posted an interview with the hacker who explains why and how he did it.

The instructions on how to get rid of it is included in the below interview (via):

[09:02] <JD> Hi ikee Thanks for joining me
[09:02] <ikee> nps
[09:03] <JD> Now, as you’re well aware, you wrote a virus that is infecting many iPhones in Australia. I guess the real question to start with is why?
[09:04] <ikee> First i was curious to how far something like this would actually spread, i think what most people were unaware of is the fact it IS a worm and every phone that got infected with it was spreading it (I initially only infected 3 phones when I woke up i checked google and found out a fair few people were hit with it)
[09:05] <ikee> Secondly i was quite amazed by the number of people who didn’t RTFM and change their default passwords.
[09:07] <JD> How far did you expect it to spread, exactly?
[09:08] <ikee> Well i didn’t think that many people would have not changed their passwords I was expecting to see maybe 10~ or so people, at first I was not even going to add the replicate/worm code but it was a learning experience and i got a tad carried away
[09:11] <JD> Are you aware that it has even started to replicate itself overseas?
[09:13] <ikee> I heard a few stories about it, that would have been sheer luck, the code itself is set to firstly scan the 3G IP range the phone is on, then Optus/Vodafone/Telstra’s IP Ranges (I think the reason Optus got hit so hard is because the other 2 are NAT’d) then a random 20 IP ranges. I’m guessing a few phones hit a range that another vulnerable phone was on.
[09:14] <ikee> (From another country)
[09:15] <JD> Well that was my next question: Why does it only seem to be hitting Optus here and Overseas (I was presuming from screenshots I’ve seen)… So you’re saying the Optus network is more vulnerable due to it not using NAT?
[09:17] <ikee> I don’t think it was an Optus fault (Being an Optus user I quite like the fact i can access my iPhone services from the outside world), I think it was mainly the fault of people being to lazy to change their passwords (It only takes a couple of seconds guys) and I hope this taught a few people that.
[09:18] <JD> So do you know exactly how many people are currently infected with the “ikee virus”?
[09:20] <ikee> I can only confirm how many my phone infected alone, which was 100+ phones. I think most of them fixed it (AND I’M HOPING THEY CHANGED THEIR PASSWORDS.)
[09:21] <JD> So your major defense seems to be that people left themselves vulnerable, Do you steal stuff from people’s houses if they leave the backdoor open?
[09:24] <ikee> I’ll answer your question with two questions, Have you ever used unprotected Wifi? and Technically I did not steal anything, have you ever littered on someone else’s property? (Smokers will definitely associate )
[09:25] <JD> Ok, I suppose I can personally admit to both of them, but it seems alot more to me like vandalism than littering, which isn’t something I would do
[09:27] <ikee> Personally I would class littering as vandalism (They definitely don’t want your rubbish there). I admit I probably pissed of a few people, but it was all in good fun (well ok for me anyway)
[09:30] <JD> So that explains why you decided to use Rick Astley. In my research, I’ve been reading about a similar virus (it seems) that contains a picture of an ‘asian child’ – I havn’t seen screenshots of this, but that’s how it is described. Are you also responsible for the “Asian Child virus”?
[09:32] <ikee> Ahh that was a quirk of my bad coding, the ‘virus’ itself has 4 variations and the first variation would resend its LockBackground.jpg to the victim. I did not comprehend that the infector might have not rebooted their phone after changing the LockBackground to something else (Causing them to send their changed lockbackground instead of Mr Astley)
[09:36] <JD> So it’s the same virus, but now containing a picture of someone’s loved one?
[09:37] <ikee> Yeah, that was definitely not the intended effect.
[09:39] <JD> Are you aware of the possible legal consequences of this (the ikee virus)? Are you concerned?
[09:40] <ikee> I’d like to think I’m aware, and also I highly doubt I’m in any real trouble (So no not concerned)
[09:43] <JD> James01 on Whirlpool asks: at least one person has reported being affected without a jailbreak – seems unlikely given the nature of the phone and what I have garned about the “virus” – is this possible, or are the reports unreliable/mistaken?
[09:44] <ikee> It only affects jailbroken phones, so people probably just got a little confused
[09:45] <JD> vanquish777 on Whirlpool says: What I want to know is, how did I get infected when I had SSH toggled off
[09:46] <ikee> You didn’t , My guess is you had it on and when the ‘virus’ hit, it disabled sshd so when you checked it afterwards it appeared to be off
[09:47] <JD> Which reminds me, many people have said they are no longer able to disable SSH, is this intended to make sure you can do more damage to users?
[09:50] <ikee> This was a hard bit for me to do, until i hit this the virus was not destructive at all. My first intention was to change the root/mobile password to random strings, then embed the strings into the LockBackground. Unfortunately passwd uses a tty (and not stdin) for its new password:request (similar to ssh logins, which is why you might find sshpass in /bin/, i had to port it) so to stop the phone getting infected over and over again (and
[09:50] <ikee> someone else catching on and having mischief with peoples phones) I removed SSHD (cydia reinstall will rememdy the problem)
[09:51] <ikee> (Cydia reinstall of SSH not reinstall Cydia itself)
[09:53] <JD> So you’re saying that the only harm this virus causes is the removal of the SSH Daemon, which effectively, disables the initial problem?
[09:53] <ikee> Well that and the pretty background yes
[09:54] <JD> You mentioned that there are four versions/variants, what are the differences between them?
[09:55] <ikee> Variants A-C were quite similar and the ones most people have bought up. Variant D is fair bit different, it stores its files in a completely different place and hides itself a lot more (No random plists in LaunchDaemons)
[09:56] <JD> So you’re saying that the newest variant is more hidden, is it more malicious?
[09:57] <ikee> It is a lot more hidden, a think most phones tend to be more secured now so it should die pretty fast. It is a little more malicious it tampers with some Cydia files.
[10:01] <JD> Do Android users risk being infected? I’m guessing that the virus would only log in as root:alpine (the default root username and password for the iPhone OS IIRC)
[10:02] <ikee> AFAIK no unless a user decided to use the same passwords, Although there is a weird quirk I read about dropbear in Android allowing any password (A bug with libcrypt I believe) but I could be very wrong.
[10:03] <ikee> But even if an android phone was attacked the platform differences would not allow the code to be run
[10:04] <JD> Just out of curiousity, what do you call what i’ve named the “ikee virus”?
[10:05] <ikee> Its in a folder called POC-iWorm (Proof Of Concept) but I never named it (ikee virus works!)
[10:09] <JD> You yesterday agreed to send me the source code (and removal instructions), what variant will it contain?
[10:10] <ikee> C/D whatever version you want
[10:11] <JD> How about all four? I’ll obviously be placing them online – probably Google Code or similar
[10:13] <ikee> A-C was updated so I don’t have the first 2, I forked D from C. (I don’t know if its so wise posting the code online, nefarious people that otherwise would not have had the chance could modify it to be quite destructive)
[10:14] <JD> Perhaps, But it has become quite clear that there’s a load of people that are unsecure, and if anyone wants to do anything bad enough, they are already going to know how.
[10:15] <JD> I guess i’m hoping that the jailbreak software will soon have a “enter new root password” prompt for those users that are un-aware.
[10:15] <ikee> I’ll leave the choice up to you
[10:15] <ikee> I’d love to see that
[10:16] <ikee> or even a random password generated and displayed for the user to write down
[10:17] <JD> Yes, it would be very good. I had an iPod Touch a while ago, which I “jailbroke” – admittedly I didn’t change the default password. I guess i’m just glad it’s not me.
[10:17] <JD> Do you plan on making any further variants? If so, why?
[10:18] <ikee> No, I think the point has been made
[10:18] <JD> Have you developed anything PRODUCTIVE in the iPhone world?
[10:21] <ikee> I’m not too sure what others would class productive. I do not own a MAC or run OSX (Using a linux cross compile toolchain) so it makes it abit of a challenge to develop any applications utilising the UI (I have tho -.-). I think the best program ive developed for it for me was a remote debugging library that sends debug information over the network (Using MCAST)
[10:23] <JD> Do you have anything further to add (I’m having a mental blank on questions to ask right now)
[10:26] <ikee> I hope I did not piss off many people, this was a very simple problem and has an even simplier solution. I thought it was quite funny and I hope others did too
[10:27] <JD> You mentioned infecting only three iPhones to being with, when did that happen?
[10:28] <ikee> Around 4am November 6th (Yeah I have no life)
[10:31] <JD> To confirm, other than replicating itself, adding the picture of Rick Astley, and removing the SSH Daemon, are we likely to find anything else it does?
[10:32] <ikee> Nothing, and if you’re releasing the source code people will be able to see that
[10:33] <JD> Can you please explain to me, how an infected user would remove the different versions correctly?
[10:33] <JD> by correctly, I mean completely.
[10:33] <ikee> Sure, variants A-C store files in these directories
[10:34] <ikee> /bin/poc-bbot
[10:34] <ikee> /bin/sshpass
[10:34] <ikee> /var/log/youcanbeclosertogod.jpg
[10:34] <ikee> /var/mobile/LockBackground.jpg
[10:35] <ikee> /System/Library/LaunchDaemons/com.ikey.bbot.plist
[10:35] <ikee> /var/lock/bbot.lock
[10:35] <ikee> using an rm (in SSH or mobile-terminal on those files will remove it)
[10:36] <ikee> then reboot the phone, change your password and reinstall SSH
[10:36] <ikee> For variant D its abit different
[10:36] <ikee> The locations are
[10:37] <ikee> /usr/libexec/cydia/startup
[10:37] <ikee> /usr/libexec/cydia/startup.so
[10:37] <ikee> /usr/libexec/cydia/startup-helper
[10:37] <ikee> /System/Library/LaunchDaemons/com.saurik.Cydia.Startup.plist
[10:38] <ikee> Of course cydia used these files previously so you may need to reinstall it after deleting this files
[10:38] <ikee> *these
[10:38] <JD> So the D variant overwrites system files?
[10:39] <ikee> Overwrits cydia’s files
[10:39] <ikee> *Overwrites
[10:39] <JD> Sorry, I’m not an expert at the iPhone OS
[10:39] <ikee> Neither
[10:40] <JD> So none of your versions do contain any password changing commands?
[10:40] <JD> I mean, so when I provide uninstall instructions, I can tell them to use alpine as the password ?
[10:41] <ikee> None of the code changes passwords
[10:42] <JD> Thanks for your time ikee, and I really hope you do get into developing things that are productive sometime soon.
[10:42] <ikee> me too and no problems
[10:42] <JD> Perhaps on the Android platform (Yes, I know, I’m a fanboy)
[10:42] <ikee> I just downloaded the x86 iso, so maybe
[10:43] <JD> I’ll ask you more about that after I end this logging session, Cheers
[10:43] <ikee> Ciaoo
End of #Interview_Room buffer    Sun Nov 08 10:43:58 2009

Preventation:

The only way to prevent these attacks is to change the default password of SSH after you install it. Eventually hackers will find a worse way to attack devices using this exploit so change your passwords now!

HERE is a guide showing how!

A dutch hacker has come up with a cunning plan on how to make some extra euros using his hacking skills. What he does it take over you iPhone and then demand a €5 donation and then he will give you iPhone back under your control.

He’s done it by scanning for all the iPhone users who had SSH enabled on their phones and then changed some files in the system making the following message come up on their phone:

Your iPhone’s been hacked because it’s really insecure! Please visit doiop.com/iHacked and secure your iPhone right now! Right now, I can access all your files.

The link (taken down now) brought you to his Paypal account were he asked for €5 in return for instructions on how to fix and ’secure’ your device once again.

If you don’t pay, it’s fine by me, but remember, the way I got access to your iPhone can be used by thousands of others-they can send text messages from your number (like I did), use it to call or record your calls, and actually whatever they want, even use it for their hacking activities! I can assure you, I have no intention of harming you or whatever, but, some hackers do! It’s just my advice to secure your phone.

The website has now been taken down and he is offering the intructions for free. Here are the instructions for anyone who was affected by this:

Ok plan’s changed. Here’s what to do, good luck and contact me if you have any questions

1. Get an SSH program like putty for windows.
2. SSH to your iPhone. (If you haven’t done that before it may take a while, and after that there might come a warning about a key fingerprint. You can just accept that). Login using username “root” and password “alpine”. (this is the default password)
3. There’s a few commands you have to execute, best is to just copy them:
rm /System/Library/LaunchDaemons/com.apple.syslog.plist
chown mobile /private/var/mobile/Library/LockBackground.jpg
chmod 666 /private/var/mobile/Library/LockBackground.jpg
mv /private/var/mobile/Documents/LockBackground.backup.jpg /private/var/mobile/Library/LockBackground.jpg
4. That’s everything to remove my stuff. Now there’s one command left to make sure this won’t happen again! (-; Again in putty or any ssh client type: “passwd”. You’ll then be asked for a new password, you can change this into anything you want. The safer the better of course (:

The reason you have to change this password is that it’s default is alpine at ALL iPhones. So if anyone knows that (and all hackers do) they can access your iPhone. Now you’ve changed it this isn’t possible anymore!

If you have any questions or something, mail me and I’ll try to answer them!

PureInfinity92@mailinator.com (oh and btw the program is designed to remove itself so you should already be clear)

The best way to stay safe from a problem like this is to change your SSH password away from the default one. To learn how to click HERE.

Total Commander with an extra plugin called T-Pot is the perfect equivalent to the SSH.I will host the plugin but for Total Commander, you should get it from the creators so you guys always get the newest version.

For Total Commander: Total Commander (EXTERNAL LINK) (1265)
For T-Pot Plugin: T-Pot (1174)

1. Firstly you will need to install the Total Commander program.
2. Download the T-Pot plugin from above. You do not need to extract it.
3. Open the Total Commander program. Because this program is free, you will need to press a certain number to start the program.
4. Then all you need to do is locate the T-Pot plugin you downloaded and double click on it IN THE TOTAL COMMANDER PROGRAM.
5. It should then say something about that this directory contains a plugin and it asks if you want to install it or not. Click yes to install.
6. Once it has finished, on the third row down from the top on the left beside where it says [preload] it says [-c-]. Click on that and change it to [-\-].
7. On the top  it should say T-PoT. Click on it and you are now in the filesystems of your iPhone/iPod Touch.

To me it’s a simply way that SSH. Hope you guys find this guide useful.

Here is who the creator, NukJon, describes his app:

iUSB Tunnel is a simple gui that makes it easy to use SSH, VNC and Tethering with your iPhone over usb on a Windows machine. It’s a free liteweight program and portable so you can run it from a usb stick if you want. It comes loaded with WinSCP, Putty, Firefox Portable, iTunnel, TightVNC and UltraVNC so you don’t have to download those programs.

For the download, there are two different options for you:

• (Download’s removed): .EXE file for easy installation.
• (Download’s removed): This is all the files packed into a .rar file.

What do you guys think of the app? Post in the comments below!