Threat behavior
Worm:iPhoneOS/Ikee.B is a worm that affects mobile devices running the iPhone operating system, using the default root password in SSH to spread among jail-broken iPhones. The term 'jail-broken' refers to iPhones that have been manually modified, allowing the user to access unauthorized features and software.
Installation
When run on an iPhone, this worm takes the following actions:
- Attempts to set a file lock at /var/lock/ssh.lock to verify that only one copy of the worm runs at a time.
- Generates IP ranges and then attempts to spread to devices within these ranges.
Spreads via...
Open ports
This worm's spreading routine consists of checking to see if TCP port 22 is open on the current device. If so, it attempts to use the default SSH password to run an arbitrary command on a target device from the current device.
It creates the following folder in a target device:
/private/var/mobile/home
It then copies the following file from the current device to the target device:
/private/var/mobile/home/cydia.tgz
It then runs this file using the following command:
cd /private/var/mobile/home/;tar xzf cydia.tgz;./inst
Payload
Installs components
The worm installs components from the archive file 'cydia.tgz' and from other websites including the following:
-
Installs curl, which is an HTTP download tool
-
May replace the syslog daemon with a fake version, which is detected as Worm:iPhoneOS/Ikee.B!A
-
Downloads and installs an SQLite package, possibly to read SMS messages
-
Downloads and installs several command packages
-
Installs its own service, which is detected as Worm:iPhoneOS/Ikee.B!B, by running the following command:
/bin/launchctl load –w /System/Library/LaunchDaemons/com.apple.period.plist
Connects to a remote server
Worm:iPhoneOS/Ikee.B!script gathers information about the current device, which is then sent to the IP address 92.61.38.16. It may also download arbitrary files from the same IP address, which are then executed in the device.
/bin/launchctl -w /System/Library/LaunchDaemons/com.apple.period.plist
Analysis by Dan Kurc
Prevention
