iPhone Worm Was Simple, Yet Effective, Analysis Shows

The iKee worm that was infecting jailbroken iPhones last month was a simple, yet effective, piece of software that shows how easy it might be for an attacker to create a fairly large, functioning botnet comprising mobile devices, an analysis of the worm shows.

The iKee worm that was infecting jailbroken iPhones last month was a simple, yet effective, piece of software that shows how easy it might be for an attacker to create a fairly large, functioning botnet comprising mobile devices, an analysis of the worm shows.

Researchers at SRI International’s Malware Threat Center released a paper on their efforts to reverse-engineer the binary for iKee.B, the second version of the worm to appear this fall, and found that the worm was not an especially advanced bit of work but was quite effective at its main task: turning jailbroken iPhones into bots. The worm infected only those iPhones that had been jailbroken, and once on the devices, copied all of the phone’s SMS messages and sent them off to a remote host. Like PC-based botnets, iKee.B assigned each infected iPhone a unique identifier so that the command and control server could send specific new instructions to each individual device.

The payload of iKee.B was fairly benign–if potentially embarrassing–as these things go, but clearly demonstrates the potential for greater damage from future attacks.

“Although the iKee.B botnet discussed here admittedly offers a rather
limited growth potential, iKee.B nevertheless provides an interesting
proof of
concept that much of the functionality
we have grown to expect from PC-based botnets can be easily
migrated into a light-weight smartphone application,” the researchers wrote. “iKee.B demonstrates that a victim holding an iPhone in Australia, can
be hacked from another iPhone located in Hungary, and forced to
exfiltrate its user’s private data to a Lithuania C&C server, which
may then upload new instructions to steal financial data from the
Australian user’s online bank account. While it is unclear just
how well prepared smartphone users are to this new reality, it is clear
that malware developers are preparing for this new reality right now.”

SRI’s research found that the iKee.B code was simple, yet flexible, allowing the attacker to include all of the core botnet functionality he wanted in a relatively small application. In addition to harvesting SMS messages, iKee.B has the ability to query a remote C&C server periodically for new instructions, scan for new victims and execute whatever other instructions the botmaster sends.


The worm also is intriguing in that it doesn’t exploit any actual vulnerability in the iPhone’s architecture. Instead, it takes advantage of the fact that some of the applications that iPhone owners use to jailbreak their phones leave behind a running SSH service with a known default password. The worm scans for these devices and then infects them with new copies of iKee.B. It also changes the SSH password.

Once the installation is complete, iKee.B begins talking directly to the C&C server, which was located in Lithuania during the infection outbreak in November. The script runs every five minutes and gives the botmaster the ability to make changes to the infected device.

the C&C server receives the bot client checkin, it has the
option to send back new programming logic in the form of a new iPhone
shell script. This script is then redirected by syslog into
temporary file called .tmp. Next,  syslog invokes
function check,
scrapes the .tmp file for valid iPhone shell script lines, and
puts these lines in a file called /private/var/mobile/home/heh.  Finally,
the check
function invokes the heh script,
executing any commands the bot master wishes to issue to
the infected iPhone,” the researchers wrote.

The SRI research is one of the first comprehensive analyses published of a piece of mobile malware like iKee.B, and it shows clearly that the attackers are not content with their success on the PC platform. The iPhone, Android and other advanced smartphones are targets that are simply to good to pass up.

Suggested articles


  • Paul on

    Thanks for such informative post. There is a pretty simple solution to this problem that will prevent this breed of. But the moral is this: If you jailbreak your iPhone, you should know what a hacker, going by the name "ikee," created a worm that changes the home.

  • currency trading on

    I am attempting to run my own blog but I think its too general and I want to focus more on smaller topics. Being all things to all people is not all that its cracked up to be.

  • currency trading on

    Substantially, the post is actually the best on this notable topic. I harmonize with your decisions and will thirstily look forward to read your incoming updates. Saying thankx will not just be sufficient, for the awesome lucidity in your writing. I will immediately grab your feeds to stay privy of any updates. Solid work and much success in your business dealings!

  • Bloomex.ca on

    There are lot of articles on the web about this. But I like yours more, although i found one that’s more descriptive.

  • Bloomex.ca on

    Many thanks for theexciting blog posting! I really enjoyed reading it, you are a brilliant writer.  I actually added your blog to myfavorites and will look forward for more updates.Great Job,Keep it up..<a href="

    tp://www.bloomex-florist.com/?page_id=2" title="bloomex.ca">bloomex.ca</a>


  • Bloomex on

    Hi,This is a good post, indeed a great job.. You must have done good research for the work, i appreciate your efforts.. Looking for more updates from your side.Thanks

  • Audio Visual Recruitment on

    Thank you for such a fantastic blog. Where else could anyone get that kind of info written in such a perfect way? I have a presentation that I am presently working on, and I have been on the look out for such information.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.