iPhoneOS/Eeki.B!worm
Analysis
This worm targets jailbroken iPhones for which the owner forgot to change root's password. It does not affect iPhones which are not jailbroken. More precisely, an iPhone is at risk :
- if it is jailbroken
- AND if root's password is set to the default value 'alpine'
- AND if the device is connected to a Wifi or LAN onto which an infected device is connected, OR if the device is connected to a telecom operator's network which is scanned by the worm. Basically, this happens as soon as the iPhone is online (with a valid SIM card).
Technical Details
This worm uses the same vulnerability as HackerTool/iPhoneStealer i.e scanning networks for iPhone's whose root password is still set to the default settings ('alpine').
In this version, the vulnerability scanning daemon is named 'sshd' (probably so as not to look suspicious). It is run once when the iPhone boots. It scans randomly various IP ranges for vulnerable devices:
192.168.0.0-192.168.3.255 94.157.100.0-94.157.255.255 87.103.52.255-87.103.66.255 94.157.0.0.0-120.157.99.255 114.72.0.0-114.75.255.255 92.248.90.0-92.248.120.255 81.217.74.0-81.217.74.255 84.224.60.0-84.224.80.255 188.88.100.0-188.88.160.255 77.248.140.0-77.248.146.255 77.54.160.0-77.54.190.255 80.57.116.0-80.57.131.255 84.224.0.0-84.224.63.255
Once a vulnerable device is found, it connects as root via ssh, and downloads itself as a tar.gz named cydia.tar.gz. Cydia is a famous application for application management of jailbroken iPhones, so it is likely to go unnoticed by the victim. Once on the new iPhone, cydia.tar.gz is unpacked in /private/var/mobile/home and the script ./inst is run to install the worm on the new device.
The worm package cydia.tar.gz contains the following files:
- inst: installation script.
- duh: http communication module (used by the syslog script below)
- syslog: malicious script which sends stolen information to a remote HTTP server, waits for an answer and finally executes the answer script.
- curl_7.19.4-6_iphoneos-arm.deb: legitimate package of CURL for iPhone, used by the worm
- com.apple.period.plist: iPhone property file for the worm. It runs the malicious syslog script every 300 seconds. The installation script (inst) moves this file to /System/Library/LaunchDaemons.
- /System/Library/LaunchDaemons/com.apple.ksyslog.plist: this file is overwritten by the malware's property file, which runs the malicious sshd script at boot.
- /private/var/mobile/home/com.apple.periodic.plist: same as com.apple.period.plist but launches the malicious syslog script every 2000 seconds only.
- /private/var/mobile/home/sqlite3_3.5.9-9_iphoneos-arm.deb: genuine SQLite package for iPhone - used by the worm.
- /private/var/mobile/home/adv-cmds_119-5_iphoneos-arm.deb: genuine package contains Unix utilities such as finger and ps. Used by the worm.
Recommended Action
The recommended solution to remove this worm is to re-install the operating system. Additionally, if the iPhone is jailbroken, be sure to modify default passwords.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-11-08 | 72.92500 |