Worm:iPhoneOS/Ikee.B

Classification

Category :

Malware

Type :

Worm

Platform :

iPhoneOS

Aliases :

iPhoneOS/Ikee.B

Summary

Worm:iPhoneOS/Ikee.B is the second variant of the Ikee worm and the first with a clearly malicious attack.

Removal

Restore the iPhone device's factory firmware via Apple iTunes.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

This variant is the first iPhone worm to be created with a distinct financial motivation, as it searches for and forwards financially-sensitive information stored on the iPhone. Fortunately, the control server which receives the stolen information has been taken offline. Users in a number of countries, including the Netherlands and Australia, are affected by this worm.

Infection

IKee.B only infects iPhones if:

  • The device is 'jailbroken' - hacked by the user in order to install software that hasn't been approved by Apple
  • AND an unapproved Secured Shell (SSH) application, which allows remote access to the device, has been installed
  • AND the default SSH password for the 'root' user has not been changed from the factory default ('alpine')

Users who have not jailbroken their iPhones, do have have an SSH application installed, or have changed the default SSH password are not affected.

Execution

When active on the iPhone, Ikee.B does the following:

  • Changes the root password from 'alpine' to 'ohshit'
  • Connects to a control server at 92.61.38.16 via HTTP and downloads additional components
  • Communicates banking information contained in SMS messages stored on the device to the control server.

Propagation

While active, the worm attempts to scan for other vulnerable iPhones over the Wi-Fi or 3G networks. If found, the worm proceeds to infect them.