The iKee worm that was infecting jailbroken iPhones last month was a simple, yet effective, piece of software that shows how easy it might be for an attacker to create a fairly large, functioning botnet comprising mobile devices, an analysis of the worm shows.
Researchers at SRI International’s Malware Threat Center released a paper on their efforts to reverse-engineer the binary for iKee.B, the second version of the worm to appear this fall, and found that the worm was not an especially advanced bit of work but was quite effective at its main task: turning jailbroken iPhones into bots. The worm infected only those iPhones that had been jailbroken, and once on the devices, copied all of the phone’s SMS messages and sent them off to a remote host. Like PC-based botnets, iKee.B assigned each infected iPhone a unique identifier so that the command and control server could send specific new instructions to each individual device.
The payload of iKee.B was fairly benign–if potentially embarrassing–as these things go, but clearly demonstrates the potential for greater damage from future attacks.
“Although the iKee.B botnet discussed here admittedly offers a rather
limited growth potential, iKee.B nevertheless provides an interesting
concept that much of the functionality
we have grown to expect from PC-based botnets can be easily
migrated into a light-weight smartphone application,” the researchers wrote. “iKee.B demonstrates that a victim holding an iPhone in Australia, can
be hacked from another iPhone located in Hungary, and forced to
exfiltrate its user’s private data to a Lithuania C&C server, which
may then upload new instructions to steal financial data from the
Australian user’s online bank account. While it is unclear just
how well prepared smartphone users are to this new reality, it is clear
that malware developers are preparing for this new reality right now.”
SRI’s research found that the iKee.B code was simple, yet flexible, allowing the attacker to include all of the core botnet functionality he wanted in a relatively small application. In addition to harvesting SMS messages, iKee.B has the ability to query a remote C&C server periodically for new instructions, scan for new victims and execute whatever other instructions the botmaster sends.
The worm also is intriguing in that it doesn’t exploit any actual vulnerability in the iPhone’s architecture. Instead, it takes advantage of the fact that some of the applications that iPhone owners use to jailbreak their phones leave behind a running SSH service with a known default password. The worm scans for these devices and then infects them with new copies of iKee.B. It also changes the SSH password.
Once the installation is complete, iKee.B begins talking directly to the C&C server, which was located in Lithuania during the infection outbreak in November. The script runs every five minutes and gives the botmaster the ability to make changes to the infected device.
the C&C server receives the bot client checkin, it has the
option to send back new programming logic in the form of a new iPhone
shell script. This script is then redirected by syslog into
temporary file called .tmp. Next, syslog invokes
scrapes the .tmp file for valid iPhone shell script lines, and
puts these lines in a file called /private/var/mobile/home/heh. Finally,
function invokes the heh script,
executing any commands the bot master wishes to issue to
the infected iPhone,” the researchers wrote.
The SRI research is one of the first comprehensive analyses published of a piece of mobile malware like iKee.B, and it shows clearly that the attackers are not content with their success on the PC platform. The iPhone, Android and other advanced smartphones are targets that are simply to good to pass up.