Follow:

 

Worm:iPhoneOS/Ikee.C


Worm:iPhoneOS/Ikee.C is a worm that affects mobile devices running the iPhone operating system, using the default root password in SSH in order to spread among jail-broken iPhones. The worm also changes the affected machine's background image.


What to do now

Remediation instructions are not currently available for this malware.

Threat behavior

Worm:iPhoneOS/Ikee.C is a worm that affects mobile devices running the iPhone operating system, using the default root password in SSH in order to spread among jail-broken iPhones. The worm also changes the affected machine's background image.
Installation
When run on an iPhone, this worm takes the following actions:
 
  1. Attempts to set a file lock at /var/lock/bbot.lock in order to verify that only one copy of the worm runs at a time.
  2. Attempts to copy the file /var/log/youcanbeclosertogod.jpg to /var/mobile/Library/LockBackground.jpg
  3. Removes the /usr/sbin/sshd directory and stops the SSH daemon.
  4. Attempts to spread using several hard-coded IP ranges.
 
When the worm infects a remote host, it does so by copying /bin/poc-bbot, /bin/sshpass and /var/log/youcanbeclosertogod.jpg from the local system to the remote system. It also copies /var/log/youcanbeclosertogod.jpg to /var/mobil/Library/LockBackground.jpg on the remote system.
 
The file /System/Library/LaunchDaemons/com.ikey.bbot.plist is also copied to the remote system and the following command is run:
"launchctl load /System/Library/LaunchDaemons/com.ikey.bbot.plist"
 
This command is used to load the worm remotely, and to add it to startup on reboot on the remote machine.
 
The worm then remotely stops the SSH daemon and deletes the automatic start on reboot option for the SSH service.
 
Analysis by Dan Kurc

Symptoms

System changes
The following system changes may indicate the presence of this malware:
  • The affected user's iPhone background image may change unexpectedly.

Prevention


Alert level: Severe
First detected by definition: 1.69.906.0
Latest detected by definition: 1.69.906.0 and higher
First detected on: Nov 13, 2009
This entry was first published on: Nov 14, 2009
This entry was updated on: May 05, 2011

This threat is also detected as:
No known aliases