iPhoneOS/Eeki.A!worm - Released Dec 15, 2009 - Last Updated Dec 16, 2009
|
Alias/esiPhoneOS.Ikee |
Visible Symptoms
- the background image of the phone gets changed to the photo of Rick Astley. In a few rare cases, infected victims have reported the background image to be the picture of a child. This corresponds to an early version of the worm.
- the SSH daemon has been killed and erased.
|
Detailed AnalysisThis worm affects jailbroken iPhones. It propagates onto devices for which the default root password (alpine by default) hasn't been modified.
This worm does not affect un-jailbroken iPhones.
Technical Details
The worm scans randomly various IP ranges for vulnerable devices:
192.168.0.0-192.168.255.255
202.81.64.0-202.81.79.255
23.98.128.0-123.98.143.255
120.16.0.0-120.23.255.255
114.72.0.0-114.75.255.255
203.2.75.0-203.2.75.255
210.49.0.0-210.49.255.255
203.17.140.0-203.17.140.255
203.17.138.0-203.17.138.255
211.28.0.0-211.31.255.255
58.160.0.0-58.175.255.25
Once a vulnerable device is found, it connects as root via ssh, and uploads malicious files to the new victim:
- /bin/sshpass: non interactive SSH password provider ported to iPhoneOS.
- /bin/poc-bbot: malicious daemon
- /var/log/youcanbeclosertogod.jpg: picture of Rick Astley
- /var/mobile/Library/LockBackground.jpg: a copy of /var/log/youcanbeclosertogod.jpg
- /System/Library/LaunchDaemons/com.ikey.bbot.plist: maliciou daemon property file
The worm performs the following actions:
- removes the old background and replaces it with Rick Astley's image
- ensure malicious daemon is launched after reboot
- kill the legitimate SSH daemon
|
Recommended ActionFortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
|
