This variant is the first iPhone worm to be created with a distinct financial motivation, as it searches for and forwards financially-sensitive information stored on the iPhone. Fortunately, the control server which receives the stolen information has been taken offline. Users in a number of countries, including the Netherlands and Australia, are affected by this worm.
IKee.B only infects iPhones if:
- The device is 'jailbroken' - hacked by the user in order to install software that hasn't been approved by Apple
- AND an unapproved Secured Shell (SSH) application, which allows remote access to the device, has been installed
- AND the default SSH password for the 'root' user has not been changed from the factory default ('alpine')
Users who have not jailbroken their iPhones, do have have an SSH application installed, or have changed the default SSH password are not affected.
When active on the iPhone, Ikee.B does the following:
- Changes the root password from 'alpine' to 'ohshit'
- Connects to a control server at 220.127.116.11 via HTTP and downloads additional components
- Communicates banking information contained in SMS messages stored on the device to the control server.
While active, the worm attempts to scan for other vulnerable iPhones over the Wi-Fi or 3G networks. If found, the worm proceeds to infect them.