[Update, courtesy of Mikko: this worm targets at least one Dutch bank, and activates when users go to the online bank with an infected iPhone ]
[Update 2, courtesy of Paul Ducklin: how to change the password of an infected phone. I could just tell you what the password is, but you might want to read the whole blog.: http://bit.ly/4JJMCu]
Back in April, I blogged about an article in that month's Virus Bulletin by Mario Ballano Barcena and Alfredo Pesoli about the first serious attempt to creat a Mac botnet. The issue containin that article, by the way, is now available on the Virus Bulletin web site at http://www.virusbtn.com/pdf/magazine/2009/200904.pdf: you have to register with the web site to access it, but registration is free.
Rather more recently, I've blogged several times on threats aimed at users of jailbroken iphones: the latest was posted at http://www.eset.com/threat-center/blog/2009/11/13/when-is-a-worm-not-a-worm. And now there's a worrying convergence.
Over the weekend, I've been seeing reports from several sources of further malware that potentially affects users in the Netherlands, Hungary, Portugal, Brazil and elsewhere. Chester Wisniewski's blog indicates that a wider spread of ISPs is targeted than previously (UPC in the Netherlands and T-Mobile, as well as Optus in Australia, which has already been targeted several times, and unnamed Hungarian and Portuguese providers), and that jailbroken iPod Touch devices are also vulnerable.
The new worm doesn't seem to be particularly .widespread, which isn't surprising, given that the subset of vulnerable device owners should already have shrunken significantly, with jailbroken device users either restoring Apple firmware through iTunes, ie "unjailbreaking", or at least changing the default passwords. (By "vulnerable" we mean iPhones that are not only jailbroken, have SSH installed, and haven't changed passwords.) However, http://www.security.nl/artikel/31542 does suggest a lot of activity on the T-Mobile network.
What is both interesting and disquieting, though, is that it has botnet functionality: if it's able to infect, it connects to Command and Control (C&C) box in Lithuania with the current IP address 184.108.40.206 (that can change!) to upload data and receive instructions from the C&C server. It also changes the default password, so if you find yourself in possession of a compromised device, your best bet is to restore the firmware. In addition, it seems to be looking for banking authentication data (mTANs – see http://en.wikipedia.org/wiki/Transaction_authentication_number).
Irrespective of widespread the threat really is, it should be taken seriously. This has gone way beyond pranks with rickrolling and wallpaper, and even incidental damage such as the draining of an infected device's battery due to network activity. The scope of this particular vulnerability is limited, but by no means exhausted: there is already a lot of source code out there that can be adapted for further threats. However, the recent and rapid escalation from pranks to worm to hacker tool to bot is an indicator of serious attention from fraudsters and other criminals. Neither Apple nor its fans can afford to be complacent about the supposed superiority of Apple products in terms of safety and security: Big Brother's criminal counterpart is out there scanning for vulnerabilties.
What we're seeing now is less the unarguable difference between safe and unsafe platforms, than a difference in volume. And that merits serious attention.
Hat tip to Chester Wisniewski and Mikko Hypponen for making available some of the information here.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET