iPhone Worm Was Simple, Yet Effective, Analysis Shows

The iKee worm that was infecting jailbroken iPhones last month was a simple, yet effective, piece of software that shows how easy it might be for an attacker to create a fairly large, functioning botnet comprising mobile devices, an analysis of the worm shows.

Researchers at SRI International's Malware Threat Center released a paper on their efforts to reverse-engineer the binary for iKee.B, the second version of the worm to appear this fall, and found that the worm was not an especially advanced bit of work but was quite effective at its main task: turning jailbroken iPhones into bots. The worm infected only those iPhones that had been jailbroken, and once on the devices, copied all of the phone's SMS messages and sent them off to a remote host. Like PC-based botnets, iKee.B assigned each infected iPhone a unique identifier so that the command and control server could send specific new instructions to each individual device.

The payload of iKee.B was fairly benign--if potentially embarrassing--as these things go, but clearly demonstrates the potential for greater damage from future attacks.

"Although the iKee.B botnet discussed here admittedly offers a rather limited growth potential, iKee.B nevertheless provides an interesting proof of concept that much of the functionality we have grown to expect from PC-based botnets can be easily migrated into a light-weight smartphone application," the researchers wrote. "iKee.B demonstrates that a victim holding an iPhone in Australia, can be hacked from another iPhone located in Hungary, and forced to exfiltrate its user's private data to a Lithuania C&C server, which may then upload new instructions to steal financial data from the Australian user's online bank account. While it is unclear just how well prepared smartphone users are to this new reality, it is clear that malware developers are preparing for this new reality right now."

SRI's research found that the iKee.B code was simple, yet flexible, allowing the attacker to include all of the core botnet functionality he wanted in a relatively small application. In addition to harvesting SMS messages, iKee.B has the ability to query a remote C&C server periodically for new instructions, scan for new victims and execute whatever other instructions the botmaster sends.

iKee.B architecture

The worm also is intriguing in that it doesn't exploit any actual vulnerability in the iPhone's architecture. Instead, it takes advantage of the fact that some of the applications that iPhone owners use to jailbreak their phones leave behind a running SSH service with a known default password. The worm scans for these devices and then infects them with new copies of iKee.B. It also changes the SSH password.

Once the installation is complete, iKee.B begins talking directly to the C&C server, which was located in Lithuania during the infection outbreak in November. The script runs every five minutes and gives the botmaster the ability to make changes to the infected device.

"When the C&C server receives the bot client checkin, it has the option to send back new programming logic in the form of a new iPhone shell script. This script is then redirected by syslog into a temporary file called .tmp. Next,  syslog invokes the function check, which scrapes the .tmp file for valid iPhone shell script lines, and puts these lines in a file called /private/var/mobile/home/heh.  Finally, the check function invokes the heh script, effectively executing any commands the bot master wishes to issue to the infected iPhone," the researchers wrote.

The SRI research is one of the first comprehensive analyses published of a piece of mobile malware like iKee.B, and it shows clearly that the attackers are not content with their success on the PC platform. The iPhone, Android and other advanced smartphones are targets that are simply to good to pass up.

Commenting on this Article is closed.