iPhoneOS/Eeki.B!worm

Alias/esiPhoneOS.Ikee.B, Eeki.B, iPh/Duh, iBotnet
Release DateNov 24, 2009
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 12.196
Description

Visible Symptoms

  • Impossible to log on as root via ssh
  • Presence of files duh, inst, sshd, syslog in /private/var/mobile/home/

Detailed Analysis

This worm targets jailbroken iPhones for which the owner forgot to change root's password. It does not affect iPhones which are not jailbroken. More precisely, an iPhone is at risk :
  • if it is jailbroken
  • AND if root's password is set to the default value 'alpine'
  • AND if the device is connected to a Wifi or LAN onto which an infected device is connected, OR if the device is connected to a telecom operator's network which is scanned by the worm. Basically, this happens as soon as the iPhone is online (with a valid SIM card).
The worm scans the network for vulnerable iPhones. If a vulnerable iPhone is detected, it spreads to that iPhone, changes its root password, communicates with a remote webserver (down at the time of writing this description) and steals the victim's SMS database.


Technical Details


This worm uses the same vulnerability as HackerTool/iPhoneStealer i.e scanning networks for iPhone's whose root password is still set to the default settings ('alpine').
In this version, the vulnerability scanning daemon is named 'sshd' (probably so as not to look suspicious). It is run once when the iPhone boots. It scans randomly various IP ranges for vulnerable devices: 
192.168.0.0-192.168.3.255
94.157.100.0-94.157.255.255
87.103.52.255-87.103.66.255
94.157.0.0.0-120.157.99.255
114.72.0.0-114.75.255.255
92.248.90.0-92.248.120.255
81.217.74.0-81.217.74.255
84.224.60.0-84.224.80.255
188.88.100.0-188.88.160.255
77.248.140.0-77.248.146.255
77.54.160.0-77.54.190.255
80.57.116.0-80.57.131.255
84.224.0.0-84.224.63.255

Once a vulnerable device is found, it connects as root via ssh, and downloads itself as a tar.gz named cydia.tar.gz. Cydia is a famous application for application management of jailbroken iPhones, so it is likely to go unnoticed by the victim. Once on the new iPhone, cydia.tar.gz is unpacked in /private/var/mobile/home and the script ./inst is run to install the worm on the new device.
The worm package cydia.tar.gz contains the following files:
  • inst: installation script.
  • duh: http communication module (used by the syslog script below)
  • syslog: malicious script which sends stolen information to a remote HTTP server, waits for an answer and finally executes the answer script.
  • curl_7.19.4-6_iphoneos-arm.deb: legitimate package of CURL for iPhone, used by the worm
  • com.apple.period.plist: iPhone property file for the worm. It runs the malicious syslog script every 300 seconds. The installation script (inst) moves this file to /System/Library/LaunchDaemons.
In addition, the following files may be found on the victim's iPhone:
  • /System/Library/LaunchDaemons/com.apple.ksyslog.plist: this file is overwritten by the malware's property file, which runs the malicious sshd script at boot.
  • /private/var/mobile/home/com.apple.periodic.plist: same as com.apple.period.plist but launches the malicious syslog script every 2000 seconds only.
  • /private/var/mobile/home/sqlite3_3.5.9-9_iphoneos-arm.deb: genuine SQLite package for iPhone - used by the worm.
  • /private/var/mobile/home/adv-cmds_119-5_iphoneos-arm.deb: genuine package contains Unix utilities such as finger and ps. Used by the worm.
The worm steals information from the victim's iPhone such as its SMS database, iPhoneOS version, SQL version, and sends that information, tar-gzipped, to a remote webserver (down now). In return, the remote web server sends a script which gets executed on the victim's iPhone.
Description Last Updated Date: Dec 09, 2009
Reference: ID - 1138180